Skip to main content

Cms CVE-2017-11440

MEDIUM
Path Traversal (CWE-22)
2017-07-19 cve@mitre.org
4.9
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 19, 2017 - 07:29 cve.org
MEDIUM 4.9

DescriptionCVE.org

In Sitecore 8.2, there is absolute path traversal via the shell/Applications/Layouts/IDE.aspx fi parameter and the admin/LinqScratchPad.aspx Reference parameter.

AnalysisAI

In Sitecore 8.2, there is absolute path traversal via the shell/Applications/Layouts/IDE.aspx fi parameter and the admin/LinqScratchPad.aspx Reference parameter. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Path Traversal (CWE-22), which allows attackers to access files and directories outside the intended path. In Sitecore 8.2, there is absolute path traversal via the shell/Applications/Layouts/IDE.aspx fi parameter and the admin/LinqScratchPad.aspx Reference parameter. Affected products include: Sitecore Cms.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate and canonicalize file paths. Use chroot or sandboxing. Reject input containing path separators or '../' sequences.

More in Cms

View all
CVE-2020-7357 CRITICAL POC
9.9 Aug 06

Cayin CMS suffers from an authenticated OS semi-blind command injection vulnerability using default credentials. Rated c

CVE-2012-4405 MEDIUM
6.8 Sep 18

Multiple integer underflows in the icmLut_allocate function in International Color Consortium (ICC) Format library (iccl

CVE-2021-47753 CRITICAL POC
9.8 Jan 15

phpKF CMS 3.00 Beta allows unauthenticated PHP file upload by disguising it as a PNG, then renaming it for execution. Po

CVE-2019-9874 CRITICAL POC
9.8 May 31

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 an

CVE-2019-9875 HIGH POC
8.8 May 31

Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to ex

CVE-2012-5894 HIGH POC
7.5 Nov 17

SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitr

CVE-2012-5893 MEDIUM POC
6.8 Nov 17

Unrestricted file upload vulnerability in hava_upload.php in Havalite CMS 1.1.0 and earlier allows remote attackers to e

CVE-2015-2083 MEDIUM POC
6.8 Feb 25

Cross-site request forgery (CSRF) vulnerability in Ilch CMS allows remote attackers to hijack the authentication of admi

CVE-2012-5919 MEDIUM POC
4.3 Nov 19

Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbit

CVE-2025-5429 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

CVE-2025-5428 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

CVE-2025-5427 MEDIUM POC
6.3 Jun 02

A security vulnerability in juzaweb CMS (CVSS 6.3). Risk factors: public PoC available.

Share

CVE-2017-11440 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy