CVE-2021-46062

Vulnerability

MCMS version 5.2.5, a content management system, contains an arbitrary file deletion vulnerability. The flaw resides in the net/mingsoft/basic/action/TemplateAction.java file, where the oldFileName parameter is passed to FileUtil.class without proper sanitization or validation, allowing deletion of any file on the server. The vulnerable code path is reachable via the background template management function, which requires prior authentication as an administrator. [1], [2]

Exploitation

To exploit this vulnerability, an attacker must have access to the admin panel (background) and navigate to System Settings > Template Management. By crafting an HTTP request with the oldFileName parameter set to an arbitrary file path (e.g., fileName=x&oldFileName=/etc/passwd), the application will invoke the file deletion routine. No additional privileges or special conditions are required beyond administrative access. [2]

Impact

Successful exploitation allows an authenticated attacker to delete arbitrary files on the server, potentially causing denial of service, data loss, or enabling further compromise of the system (e.g., deleting critical configuration files or application binaries). The impact is limited by the requirement for administrative credentials but can be severe in terms of availability and integrity. [1], [2]

Mitigation

As of the publication date (February 18, 2022), no official patched version of MCMS had been released. The vendor (ming-soft) has acknowledged the issue via a GitHub issue, but no fix is available. Administrators should restrict access to the admin panel, apply strict file system permissions, and consider implementing a web application firewall (WAF) rule to block requests with suspicious oldFileName values. [1], [2]