CVE Catalog

CVE-2024-46446

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Elevated risk
1.35%

68th percentile - higher than 68% of all known CVEs

Summary

Mecha CMS 3.0.0 is vulnerable to Directory Traversal. An attacker can construct cookies and URIs that bypass user identity checks, then pass parameters via POST method, resulting in deletion of arbitrary files or website takeover.

Risk Assessment

The risk for the organization includes the possibility of deleting critical system files or taking over the website, which can lead to data loss, service disruption, and reputational damage.

Recommendation

It is recommended to immediately update Mecha CMS to the latest version that fixes this vulnerability. If an update is not available, implement temporary mitigations such as input validation and sanitization, and restrict access to sensitive files.

Original NVD description (English source)

Mecha CMS 3.0.0 is vulnerable to Directory Traversal. An attacker can construct cookies and URIs that bypass user identity checks. Parameters can then be passed through the POST method, resulting in the Deletion of Arbitrary Files or Website Takeover.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS