Platform
php
Component
quick-cms
Fixed in
6.7.1
CVE-2024-11992 describes a critical path traversal vulnerability affecting Quick.CMS versions 6.7 through 6.7. This flaw allows unauthorized remote users to bypass intended access controls and potentially download or delete sensitive files on the server. The vulnerability stems from insufficient input validation within the admin.php page, specifically the aDirFiles[0] parameter. A patch, version 6.7.1, has been released to address this issue.
The impact of CVE-2024-11992 is significant due to the potential for complete data compromise. An attacker exploiting this vulnerability can leverage the path traversal to read arbitrary files from the server, including configuration files, database credentials, and source code. Furthermore, the vulnerability allows for file deletion, potentially disrupting the entire application and leading to denial of service. Successful exploitation requires no authentication, making it a high-priority risk. This vulnerability shares similarities with other path traversal exploits where attackers manipulate file paths to access unauthorized resources.
CVE-2024-11992 was publicly disclosed on November 29, 2024. The vulnerability's critical severity and ease of exploitation suggest a potential for active exploitation. Currently, there are no known public exploits, but the lack of authentication required makes it a prime target. Monitor security advisories and threat intelligence feeds for any indications of exploitation campaigns. This CVE has not yet been added to the CISA KEV catalog.
Exploit Status
EPSS
0.15% (36% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-11992 is to immediately upgrade Quick.CMS to version 6.7.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict access to the admin.php page using a Web Application Firewall (WAF) or proxy server, blocking requests with suspicious characters in the aDirFiles[0] parameter. Carefully review and restrict file permissions on the server to minimize the impact of potential file deletion. Monitor access logs for unusual file access patterns that might indicate exploitation attempts. After upgrading, verify the fix by attempting to access files outside the intended document root via the admin.php page – access should be denied.
Update Quick.CMS to a patched version that addresses the path traversal vulnerability. Consult the vendor's website for the latest version and upgrade instructions. If a patched version is not available, consider disabling or removing the affected component until a fix is released.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-11992 is a critical path traversal vulnerability in Quick.CMS versions 6.7–6.7, allowing attackers to access or delete files outside the intended directory.
Yes, if you are running Quick.CMS version 6.7, you are vulnerable. Upgrade to version 6.7.1 or later to mitigate the risk.
Upgrade Quick.CMS to version 6.7.1 or later. As a temporary workaround, restrict access to the admin.php page using a WAF or proxy.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation. Monitoring is advised.
Refer to the Quick.CMS official website or security advisories for the latest information and updates regarding CVE-2024-11992.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.