📄 Description (English)
Green CMS 2.x contains a path traversal vulnerability that allows authenticated attackers to download arbitrary files and directories by injecting directory traversal sequences. Attackers can manipulate the theme_name parameter in the themeexporthandle action or supply base64-encoded file paths to the downfile action to retrieve sensitive files outside intended directories.
🤖 AI Executive Summary
Green CMS 2.x contains a path traversal vulnerability (CVE-2019-25574) allowing authenticated attackers to download arbitrary files by manipulating theme_name parameters or base64-encoded file paths. With a CVSS score of 6.5, this vulnerability poses a medium risk to organizations using Green CMS, particularly those storing sensitive data accessible to authenticated users. No patch is currently available, requiring immediate implementation of compensating controls.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 10, 2026 22:00
🇸🇦 Saudi Arabia Impact Assessment
Saudi government agencies, educational institutions, and small-to-medium enterprises using Green CMS for content management face elevated risk. The vulnerability particularly impacts organizations in the public sector (NCA oversight), healthcare facilities managing patient portals, and telecommunications companies using CMS for customer-facing applications. The ability to extract arbitrary files could expose sensitive government documents, personal data, and system configuration files. Organizations under SAMA or NCA regulatory frameworks face compliance violations if customer/citizen data is compromised through this vulnerability.
🏢 Affected Saudi Sectors
Government and Public Administration
Healthcare and Medical Services
Education and Universities
Telecommunications
Banking and Financial Services
Energy and Utilities
Small and Medium Enterprises (SMEs)
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all Green CMS 2.x instances in your environment and document their deployment locations
2. Restrict access to Green CMS administrative interfaces using network segmentation and IP whitelisting
3. Implement strict input validation on theme_name and file path parameters
4. Disable or restrict the themeexporthandle and downfile actions if not operationally required
5. Monitor authentication logs for suspicious file download patterns
Compensating Controls:
1. Implement Web Application Firewall (WAF) rules to block requests containing directory traversal sequences (../, ..\ , %2e%2e%2f)
2. Apply base64 decoding inspection rules to detect encoded path traversal attempts
3. Enforce principle of least privilege for authenticated user accounts
4. Implement file access controls at the operating system level to restrict CMS process permissions
5. Enable detailed logging and alerting for file access attempts outside intended directories
Detection Rules:
1. Alert on requests to themeexporthandle or downfile actions with encoded parameters
2. Monitor for multiple failed file access attempts from single user accounts
3. Track downloads of system files (.conf, .xml, .env, /etc/passwd equivalents)
4. Flag base64-encoded strings in HTTP parameters containing path separators
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع مثيلات Green CMS 2.x في بيئتك وتوثيق مواقع نشرها
2. تقييد الوصول إلى واجهات إدارة Green CMS باستخدام تقسيم الشبكة وقائمة IP البيضاء
3. تنفيذ التحقق الصارم من صحة المدخلات على معاملات theme_name ومسارات الملفات
4. تعطيل أو تقييد إجراءات themeexporthandle و downfile إذا لم تكن مطلوبة تشغيلياً
5. مراقبة سجلات المصادقة للأنماط المريبة في تنزيل الملفات
الضوابط البديلة:
1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحجب الطلبات التي تحتوي على تسلسلات اجتياز المسار
2. تطبيق قواعد فحص فك تشفير base64 للكشف عن محاولات اجتياز المسار المشفرة
3. فرض مبدأ أقل امتياز لحسابات المستخدمين المصرح لهم
4. تنفيذ ضوابط الوصول إلى الملفات على مستوى نظام التشغيل لتقييد أذونات عملية CMS
5. تفعيل السجلات التفصيلية والتنبيهات لمحاولات الوصول إلى الملفات خارج الدلائل المقصودة
قواعد الكشف:
1. التنبيه على الطلبات إلى إجراءات themeexporthandle أو downfile بمعاملات مشفرة
2. مراقبة محاولات الوصول إلى الملفات المتعددة الفاشلة من حسابات المستخدمين الفردية
3. تتبع تنزيلات ملفات النظام (.conf, .xml, .env)
4. وضع علامة على السلاسل المشفرة بـ base64 في معاملات HTTP التي تحتوي على فواصل المسار
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies (access control policies)
A.6.1.1 - Internal Organization (segregation of duties)
A.8.1.1 - Asset Management (inventory and protection)
A.9.1.1 - Access Control (user access management)
A.12.4.1 - Logging (event logging and monitoring)
🔵 SAMA CSF
ID.AM-2 - Asset Management (software inventory)
PR.AC-1 - Access Control (user access policies)
PR.AC-4 - Access Control (information access management)
DE.CM-1 - Detection and Analysis (monitoring and detection)
DE.AE-1 - Detection and Analysis (anomalies and events)
🟡 ISO 27001:2022
A.5.1.1 - Information security policies
A.6.1.1 - Internal organization
A.8.1.1 - Asset management
A.9.1.1 - Access control
A.9.2.1 - User access management
A.12.4.1 - Event logging
🟣 PCI DSS v4.0.1
Requirement 1.1 - Firewall configuration standards
Requirement 2.1 - Default security parameters
Requirement 6.2 - Security patches
Requirement 7.1 - Limit access to data
Requirement 10.2 - Implement automated audit trails
🔗 References & Sources 4
🔗
🔗
🔗
🔗
http://www.greencms.net/
disclosure@vulncheck.com
https://codeload.github.com/GreenCMS/GreenCMS/zip/beta
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/46245
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/green-cms-2-x-path-traversal-arbitrary-file-download
disclosure@vulncheck.com