CVE-2020-26649

Vulnerability

AtomXCMS 2.0 contains an incorrect access control vulnerability in the admin/dump.php script. The application does not properly enforce authentication or authorization checks, allowing any user who can reach the administrative interface to trigger file deletion operations without valid admin credentials. The issue is present in all versions of AtomXCMS 2.0 as described in the official CVE description and the associated issue report [1].

Exploitation

An attacker with network access to the AtomXCMS administrative panel (typically located at /admin/dump.php) can directly invoke the script without authentication. The dump.php script accepts parameters to specify files or directories to delete, and due to the lack of access control, the attacker can supply arbitrary file paths. The exploitation requires no special privileges or user interaction beyond reaching the vulnerable endpoint [1].

Impact

Successful exploitation allows an attacker to arbitrarily delete files and directories on the server, potentially including configuration files, application code, or critical system data. This can lead to denial of service, data loss, or complete application compromise if sensitive files are removed. The impact is limited to file deletion; no code execution is described in the available references [1].

Mitigation

As of the publication date (2020-10-22), no official patch or fixed version has been released for AtomXCMS 2.0. The vendor has not responded to the issue report, and the software appears to be abandoned or unmaintained. Administrators should restrict access to the /admin/ directory using web server access controls (e.g., .htaccess or firewall rules) and consider migrating to an alternative CMS if ongoing support is required [1].