CVE-2014-1836: ImpressCMS Path Traversal to Arbitrary File Delete
6.4
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.94863%
CWE
Published
5/17/2022
Updated
8/16/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:N/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
impresscms/impresscms | composer | < 1.3.6 | 1.3.6 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability occurs in htdocs/libraries/image-editor/image-edit.php where the 'image_path'/'image_temp' parameter is used unsafely in unlink() calls. However, the vulnerable code resides in the main script execution flow rather than within a named function or class method. PHP's global scope execution (represented as '{main}' in stack traces) doesn't provide a specific function signature. The file path and parameter handling are key indicators, but no discrete function names are identifiable from the provided patch descriptions.