CmsEasy Path Traversal Vulnerability in Image Administration Function

A path traversal vulnerability has been identified in CmsEasy version 7.7.7.9. The issue resides in the 'deleteimg_action' function within 'lib/admin/image_admin.php'. This vulnerability allows for arbitrary file deletion by manipulating the 'imgname' parameter, exploiting insufficient input validation to traverse directories and target files for deletion. The vulnerability requires backend privileges to exploit.

Impact

Exploitation of this vulnerability allows authenticated users to delete arbitrary files on the server, potentially leading to the removal of critical application files or other sensitive data.

Reproduction

To reproduce this vulnerability, an authenticated user must send a request to the 'deleteimg_action' function in the image administration module. The 'imgname' parameter can be crafted to include directory traversal sequences, such as '../', to navigate out of the intended directory and target files for deletion. After the request is processed, the specified file will be deleted if the traversal is successful.