CVE-2025-11941

Vulnerability

A path traversal vulnerability exists in the e107 CMS avatar handler, specifically in /e107_admin/image.php?mode=main&action=avatar. The multiaction[] parameter is insufficiently sanitized, allowing an attacker to delete arbitrary files on the server [1]. The application attempts to filter ../ but this can be bypassed by using a doubled pattern like ..././, which after the filter's removal becomes ../ [1].

Exploitation

To exploit, an attacker must have administrative access to the e107 admin panel. The attack is performed by sending a crafted POST request to the vulnerable endpoint, modifying the multiaction[] value to include a path traversal payload [2]. For example, setting multiaction[]=0#..././..././..././a.txt will delete a.txt from the web root [1]. No authentication bypass is needed, but the attacker must be logged in as an admin.

Impact

Successful exploitation allows an authenticated remote attacker to delete arbitrary files on the server. This could lead to data loss, service disruption, or potentially facilitate further attacks by removing critical files (e.g., configuration files, access controls) [2]. The vulnerability has a CVSS v3 score of 5.4 (Medium), and a public proof of concept is available, elevating the risk [1].

Mitigation

The vendor was contacted but did not respond, and as of CVE publication, no patch is available [1]. Users of e107 CMS version 2.3.3 and earlier should restrict access to the admin panel to trusted users and consider implementing additional file deletion protections or monitoring for suspicious requests.