An issue was discovered in idreamsoft iCMS 7.0.13. admincp.php?appapps&dosave allows directory traversal via _app/../ to designate an arbitrary directory because of an apps.admincp.php error. This directory can then be deleted via an admincp.php?appapps&douninstall request.
Publication date: Thu, 31 Jan 2019 03:29:00 +0000