Impact
A flaw in the Vendor Multi‑Image Endpoint of the AddProduct.php controller allows an attacker to manipulate the folder argument and perform a path traversal. This can lead to reading files outside the intended directory, potentially exposing sensitive configuration and system data. The vulnerability is exploitable without local access and therefore can be initiated remotely via a crafted request.
Affected Systems
The issue affects the kirilkirkov Ecommerce‑CodeIgniter‑Bootstrap project. No specific version numbers are available due to the rolling release model, but the vulnerability exists up to the last commit before 2a9497ff11f36e573ad99e1c357ff0e6ded49745. The public patch commit provides the fix.
Risk and Exploitability
The CVSS score of 6.9 indicates a moderate severity, and while the EPSS score is not available, the vulnerability is not listed in CISA’s KEV catalog. The publicly released exploit and the remote nature of the attack vector suggest a realistic exploitation scenario. Applying the patch eliminates the traversal path; until then, attackers can abuse the flaw to read arbitrary files.
OpenCVE Enrichment