CVE-2024-25502
Description
Directory Traversal vulnerability in flusity CMS v.2.4 allows a remote attacker to execute arbitrary code and obtain sensitive information via the download_backup.php component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Directory Traversal in flusity CMS v2.4 allows unauthenticated attackers to read arbitrary files via the download_backup.php component.
Vulnerability
A directory traversal vulnerability exists in flusity CMS version 2.4 in the download_backup.php component. The $filename parameter is taken directly from $_GET['file'] without any sanitization, allowing an attacker to specify arbitrary file paths [1].
Exploitation
No authentication is required because the define('isAdmin', true) is always set, making the script accessible to anyone. An attacker can exploit the vulnerability by sending a crafted HTTP request with path traversal sequences (e.g., ../) in the file parameter to read arbitrary files from the server [1].
Impact
Successful exploitation allows an attacker to read any file on the server that the web server process has access to, leading to disclosure of sensitive information such as configuration files, database credentials, or application source code [1].
Mitigation
As of the publication date, no patched version has been released by the vendor. Until a fix is available, it is recommended to restrict access to the download_backup.php script via web server configuration or to disable the script entirely. Users should monitor the flusity CMS repository for an update [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- flusity/CMSdescription
- Range: =2.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.