CVE-2021-46203

Vulnerability

Taocms v3.0.2 contains an arbitrary file read vulnerability in the file manager's download functionality. The path parameter in include/File.php is not sanitized, allowing directory traversal sequences such as ../ to read files outside the intended directory. This issue affects version 3.0.2 and possibly earlier versions [1].

Exploitation

An attacker must have valid admin credentials to log into the Taocms backend. After login, the attacker accesses the file manager and uses the download function. By manipulating the path parameter with ../ sequences, the attacker can traverse directories and read arbitrary files on the server [1].

Impact

Successful exploitation allows an authenticated admin to read any file on the server, leading to information disclosure of sensitive data such as configuration files, database credentials, or source code. The attacker gains read access at the privilege level of the web server process [1].

Mitigation

No official patch has been released by the vendor as of the publication date. A suggested workaround is to validate the path parameter and reject requests containing ../ or other traversal patterns. Users should monitor the vendor's repository for updates. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog [1].