Description

In webERP 4.15, Z_CreateCompanyTemplateFile.php has Incorrect Access Control, leading to the overwrite of an existing .sql file on the target web site by creating a template and then using ../ directory traversal in the TemplateName parameter.

Remediation

References

CVE-2018-20420

Related Vulnerabilities

WordPress Plugin Icon Widget Cross-Site Scripting (1.2.6)

WordPress 4.2.x PHP Object Injection (4.2 - 4.2.29)

Oracle Application Server CVE-2009-0983 Vulnerability (CVE-2009-0983)

WordPress Plugin Thank You Counter Button Multiple Cross-Site Scripting Vulnerabilities (1.8.7)

Joomla Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2013-3058)

Severity

Medium

Classification

CVE-2018-20420 CWE-732 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities