CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
EPSS
Percentile
97.5%
High-Tech Bridge Security Research Lab reports:
The CSRF vulnerability exists due to insufficient verification of the
HTTP request origin in “/admin.php” script. A remote attacker can trick
a logged-in administrator to visit a specially crafted webpage and
create arbitrary PHP file on the remote server.
The path traversal vulnerability exists due to insufficient filtration
of user-supplied input in “dl” HTTP GET parameter passed to
“/install.php” script. The script is present on the system after
installation by default, and can be accessed by attacker without any
restrictions.