CVE-2024-46446
CriticalCVSS 9.8Exploitation Probability (EPSS)
Elevated risk68th percentile - higher than 68% of all known CVEs
Summary
Mecha CMS 3.0.0 is vulnerable to Directory Traversal. An attacker can construct cookies and URIs that bypass user identity checks, then pass parameters via POST method, resulting in deletion of arbitrary files or website takeover.
Risk Assessment
The risk for the organization includes the possibility of deleting critical system files or taking over the website, which can lead to data loss, service disruption, and reputational damage.
Recommendation
It is recommended to immediately update Mecha CMS to the latest version that fixes this vulnerability. If an update is not available, implement temporary mitigations such as input validation and sanitization, and restrict access to sensitive files.
Original NVD description (English source)
Mecha CMS 3.0.0 is vulnerable to Directory Traversal. An attacker can construct cookies and URIs that bypass user identity checks. Parameters can then be passed through the POST method, resulting in the Deletion of Arbitrary Files or Website Takeover.

