CVE-2025-1335
Published: 16 February 2025
Description
A vulnerability, which was classified as problematic, was found in CmsEasy 7.7.7.9. Affected is the function deleteimg_action in the library lib/admin/file_admin.php. The manipulation of the argument imgname leads to path traversal. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Security Summary
CVE-2025-1335 is a path traversal vulnerability classified under CWE-22 in CmsEasy version 7.7.7.9. The flaw resides in the deleteimg_action function within the library lib/admin/file_admin.php, where manipulation of the imgname argument enables attackers to traverse directory paths beyond the intended boundaries.
With a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), the vulnerability can be exploited remotely by an authenticated attacker possessing low privileges. Exploitation requires network access and low attack complexity with no user interaction, allowing limited disclosure of confidential information through unauthorized file access.
Advisories referenced in VulDB entries and a GitHub repository detail the public disclosure of an exploit. The vendor was contacted early about the issue but provided no response, leaving no official patches or mitigation guidance available.
Details
- CWE(s)