Primary

Context

FoxCMS Arbitrary File Deletion Vulnerability

Vulnerability

An arbitrary file deletion vulnerability has been identified in FoxCMS version 1.2.5. The issue arises in the 'delRestoreSerie' method, where the application fails to properly sanitize the 'id' parameter. This lack of input validation allows for directory traversal, enabling the deletion of specified directories and their contents on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion on the server. If critical application directories are removed, it could lead to a complete denial-of-service condition for the application.

Reproduction

To reproduce this vulnerability, send a POST request to the '/admin/backup/delRestoreSerie' endpoint. Include a crafted 'id' parameter that traverses directories (using relative path manipulation) to reach a target directory, such as one within the web server's document root. The application will delete the specified directory and its contents recursively.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

8.7

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

FoxCMS Arbitrary File Deletion Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating