Primary

Context

299ko Path Traversal Vulnerability in FileManagerAPIController

Vulnerability

A path traversal vulnerability has been identified in 299ko versions through 2.0.0. The issue arises in the FileManagerAPIController.php file, specifically within the getSentDir and delete functions. This vulnerability allows remote attackers to manipulate file paths, potentially leading to unauthorized file deletion on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion on the server.

Reproduction

To reproduce this vulnerability, send a POST request to the 'view-ajax/delete' endpoint of the file manager. Include a crafted 'fmFolderToSee' parameter that exploits the path traversal vulnerability by navigating to a sensitive directory, and a 'filename' parameter specifying a file to be deleted.

Added: Sep 10, 2025, 11:17 PM

Updated: Sep 10, 2025, 11:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

0.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

6.6

remediation

0.0

relevance

0.5

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

299ko Path Traversal Vulnerability in FileManagerAPIController

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating