This vulnerability is trending on Twitter; this may indicate a growing threat.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsUpgrade ci4-cms-erp/ci4ms to version 0.31.9.0 or higher.
ci4-cms-erp/ci4ms is a composer create-project ci4-cms-erp/ci4ms
Affected versions of this package are vulnerable to External Control of File Name or Path through the deleteFileOrFolder and renameFile processes. An attacker can remove or rename critical application files by sending crafted requests to these endpoints with paths to files outside the intended allowlist. This can result in persistent disruption of the application, requiring filesystem-level intervention to restore functionality. This is only exploitable if the attacker has authenticated backend access with the fileeditor.delete or fileeditor.update permission.