GHSA-858x-6wp8-wp5cMediumCVSS 6.5

The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is...

Published
June 25, 2026
Last Modified
June 25, 2026

🔗 CVE IDs covered (1)

📋 Description

The K2 frontend article-save handler accepts an attachment[N][existing] POST field that is concatenated with JPATH_SITE/ and passed to JFile::copy(). JPath::clean does NOT strip .., and there is no allow-list of source paths. An Author can therefore copy configuration.php (or any other file readable by the web user — including ../../../etc/passwd) into /media/k2/attachments/, then retrieve the contents via the K2 attachment-download endpoint.

🔗 References (3)