Impact
The vulnerability is a directory traversal flaw in the Vendor Image Manager add_product controller of the ecommerce‑codeigniter‑bootstrap project. An attacker can manipulate the folder argument of the do_upload_others_images method to escape the intended upload directory and read or potentially overwrite files outside the upload tree, leading to disclosure of sensitive data or modification of critical system files. The weakness maps to CWE-22.
Affected Systems
Affected versions include any release of kirilkirkov Ecommerce-CodeIgniter‑Bootstrap up to commit 23105f25dadf57b4314fc015a63a7c6e910c89df. The bug resides in AddProduct.php within the Vendor Image Manager module. The project follows a rolling‑release model, so no formal version numbers are available, but the patch commit de1c9e73ccf3bd032d9a0525c4752290d959dd8b fixes the vulnerability.
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate risk. With no EPSS data, the current exploitation probability is unknown, but the flaw can be remotely triggered simply by submitting a crafted request containing a malicious folder value. Without a patch, attackers could exploit the flaw to read or delete files, potentially compromising data integrity and confidentiality. The lack of a KEV listing suggests no known large‑scale exploitation yet, but the vulnerability remains a valid attack vector.
OpenCVE Enrichment