CVE-2018-20604 — MEDIUM (4.9)

Vulnerability Description

Lei Feng TV CMS (aka LFCMS) 3.8.6 allows Directory Traversal via crafted use of ..* in Template/edit/path URIs, as demonstrated by the admin.php?s=/Template/edit/path/*web*..*..*..*..*1.txt.html URI to read the 1.txt file.

CVSS Score

4.9

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Lfdycms	Lei Feng Tv Cms	3.8.6

Related Weaknesses (CWE)

CWE-22

References

https://github.com/AvaterXXX/CVEs/blob/master/lfdycms.md#directory-traversalExploitThird Party Advisory
https://github.com/AvaterXXX/CVEs/blob/master/lfdycms.md#directory-traversalExploitThird Party Advisory

FAQ

What is CVE-2018-20604?

CVE-2018-20604 is a vulnerability with a CVSS score of 4.9 (MEDIUM). Lei Feng TV CMS (aka LFCMS) 3.8.6 allows Directory Traversal via crafted use of ..* in Template/edit/path URIs, as demonstrated by the admin.php?s=/Template/edit/path/*web*..*..*..*..*1.txt.html URI t...

How severe is CVE-2018-20604?

CVE-2018-20604 has been rated MEDIUM with a CVSS base score of 4.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-20604?

Check the references section above for vendor advisories and patch information. Affected products include: Lfdycms Lei Feng Tv Cms.