admbrowse.php in FUDforum before 2.2.0 allows remote attackers to create or delete files via URL-encoded pathnames in the cur and dest parameters.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Fudforum | Ilia_alshanetsky | 1.2.8 | 1.2.8 |
Fudforum | Ilia_alshanetsky | 1.9.8 | 1.9.8 |
Fudforum | Ilia_alshanetsky | 2.0.2 | 2.0.2 |