CVE-2018-25393
Description
Navigate CMS 2.8.5 contains a path traversal vulnerability that allows authenticated users to download arbitrary files by injecting directory traversal sequences in the id parameter. Attackers can send GET requests to navigate_download.php with path traversal payloads ../../../cfg/globals.php to access sensitive configuration files and system files outside the intended directory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Navigate CMS 2.8.5 allows authenticated users to download arbitrary files via path traversal in the id parameter of navigate_download.php.
Vulnerability
Navigate CMS 2.8.5 contains a path traversal vulnerability in the navigate_download.php script. The id parameter is not sanitized, allowing directory traversal sequences such as ../../../cfg/globals.php to read arbitrary files. The vulnerability affects version 2.8.5 as confirmed by the vendor download [1] and exploit-db [2]. The code path is reachable by any authenticated user, as the profile check is insufficient [2].
Exploitation
An attacker must have a valid user account (any profile, including default "User" profile) and send a GET request to navigate_download.php with a crafted id parameter containing path traversal sequences. The wid parameter must also be provided (e.g., wid=1). The PoC in [2] demonstrates the request: GET /[PATH]/navigate_download.php?wid=1&id=../../../cfg/globals.php. No additional authentication bypass is needed; the session cookie is used.
Impact
Successful exploitation allows an authenticated attacker to download arbitrary files from the server, including sensitive configuration files such as cfg/globals.php which may contain database credentials and other secrets. This leads to information disclosure of potentially critical system data. The CVSS v3 score is 6.5 (Medium) [3], indicating moderate impact on confidentiality.
Mitigation
As of the available references, no official patch has been released. The vendor homepage [4] does not mention a fix. Users should restrict access to navigate_download.php via web server configuration (e.g., .htaccess), or upgrade to a version beyond 2.8.5 if available. The vulnerability is listed in the Exploit Database [2] and VulnCheck [3] but not in CISA KEV as of the publication date.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 2.8.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `id` parameter in `navigate_download.php` is used directly as a file path without sanitization, enabling directory traversal."
Attack vector
An authenticated user (any profile with download privileges) sends a GET request to `navigate_download.php` with a `wid` parameter and an `id` parameter containing path traversal sequences, e.g. `id=../../../cfg/globals.php` [ref_id=1]. The server responds with the contents of the requested file, as demonstrated by the successful retrieval of `cfg/globals.php` and `Windows/win.ini` [ref_id=1]. This is a classic path traversal vulnerability [CWE-22] [ref_id=2].
Affected code
The vulnerability resides in `navigate_download.php`. The `id` parameter is taken directly from `$_REQUEST['id']` and passed to `$item->load()` without sanitization, allowing directory traversal sequences such as `../../../cfg/globals.php` to be used as the file path [ref_id=1].
What the fix does
The advisory does not include a published patch. To remediate, the application must validate that the `id` parameter resolves to a file within an allowed directory, rejecting any input containing `../` or other path traversal sequences [ref_id=2]. Without such validation, an attacker can read arbitrary files readable by the web server process.
Preconditions
- authThe attacker must have a valid authenticated session (any user profile with download access).
- configThe target must be running Navigate CMS 2.8.5 (or earlier).
- networkThe attacker must be able to send HTTP GET requests to the vulnerable endpoint.
Reproduction
Send a GET request to `http://TARGET/[PATH]/navigate_download.php?wid=1&id=../../../cfg/globals.php` with a valid session cookie. The server returns the contents of `cfg/globals.php` [ref_id=1].
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.