CVE-2012-6038

high

Description

admin/core/admin_func.php in razorCMS before 1.2.1 does not properly restrict access to certain administrator directories and files, which allows remote authenticated users to read, edit, rename, move, copy and delete files via the (1) dir parameter in a fileman or (2) filemanview action. NOTE: this issue has been referred to as a "path traversal."

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/72268

http://www.razorcms.co.uk/archive/core/old/razorCMS_core_v1_2_1_STABLE.zip

http://secunia.com/advisories/47461

http://osvdb.org/78230

Details

Source: Mitre, NVD

Published: 2012-11-26

Updated: 2026-06-16

Risk Information

CVSS v2

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Severity: High

EPSS

EPSS: 0.04543