CVE-2018-16141

CVE-2018-16141

ThinkCMF X2.2.3 has an arbitrary file deletion vulnerability in do_avatar in applicationUserControllerProfileController.class.php via an imgurl parameter with a .. sequence. A member user can delete any file on a Windows server.

Source: CVE-2018-16141