CVE-2021-26601

Vulnerability

A directory traversal vulnerability exists in ImpressCMS versions before 1.4.3 in the file libraries/image-editor/image-edit.php. The image_temp parameter is not properly sanitized, allowing an attacker to include path traversal sequences (e.g., ..) to access files outside the intended temporary directory. The issue was addressed in pull request #915 by transforming .. sequences to underscores in the parameter value [1][2].

Exploitation

An attacker must have network access to the ImpressCMS instance and the ability to send crafted HTTP requests to the image editor endpoint. No authentication is explicitly required, but the endpoint may be accessible only to certain user roles depending on configuration. The attacker can manipulate the image_temp parameter with traversal sequences like ../../etc/passwd to read arbitrary files from the server filesystem [1][2].

Impact

Successful exploitation allows an attacker to read arbitrary files on the server, potentially disclosing sensitive information such as configuration files, database credentials, or source code. The traversal could also be used to write files if the application logic allows saving to the traversed path, though the primary impact is information disclosure [2].

Mitigation

The vulnerability is fixed in ImpressCMS version 1.4.3, released on 2022-03-28 [2][4]. Users should upgrade immediately to this or a later version. The fix transforms .. to _ in the image_temp parameter to prevent directory traversal [1]. No workarounds are documented; upgrading is the recommended mitigation. This CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.