PatchSiren cyber security CVE debrief
CVE-2017-5480 B2evolution CVE debrief
CVE-2017-5480 is a high-severity directory traversal issue in b2evolution’s back-office file handling. An authenticated remote user with administrative/back-office access could supply path traversal input in the fm_selected array parameter and use it to read or delete arbitrary files on the server. The NVD record classifies the flaw as CWE-22 and rates it CVSS 3.0 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). The vulnerable CPE range in the official record covers b2evolution through version 6.8.3.
- Vendor
- B2evolution
- Product
- CVE-2017-5480
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-01-15
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-01-15
- Advisory updated
- 2026-05-13
Who should care
Administrators and security teams running b2evolution instances, especially any deployment that exposes the back-office interface to remote users. File integrity and data confidentiality are the main concerns, because the issue can be used to access or remove arbitrary files once authenticated access is available.
Technical summary
The official record describes a path traversal flaw in inc/files/files.ctrl.php. The attack requires remote authenticated access, then abuses the fm_selected array parameter with dot-dot traversal sequences to reach files outside the intended directory scope. According to NVD, the affected range is b2evolution up to and including 6.8.3. The issue is mapped to CWE-22 and scored CVSS 3.0 8.1, reflecting network reachability, low attack complexity, and high confidentiality/integrity impact.
Defensive priority
High for any internet-facing or remotely administered b2evolution installation still on affected versions. While the issue is not unauthenticated, authenticated file read/delete capability can still lead to sensitive data exposure, site defacement, or further compromise.
Recommended defensive actions
- Upgrade b2evolution to a version newer than 6.8.3 that includes the fix referenced by the project commit.
- Review the linked b2evolution issue and commit history to confirm the patched code path in inc/files/files.ctrl.php.
- Restrict back-office access to trusted networks and enforce strong authentication for administrative accounts.
- Audit logs for unusual file selection, deletion, or traversal-like input in fm_selected-related requests.
- Check for unauthorized file access, missing files, or integrity changes in the application filesystem and webroot.
- If immediate upgrade is not possible, reduce exposure by limiting admin access and monitoring file-management actions closely.
Evidence notes
This debrief is grounded only in the supplied official/primary sources: the NVD CVE record, the b2evolution GitHub commit and issue reference, and the CVE record metadata. The original CVE publication date used here is 2017-01-15T22:59:00.127Z; the 2026 modified timestamp reflects record maintenance, not the vulnerability’s discovery date. No exploit steps or unsupported remediation details are included.
Official resources
Publicly disclosed on 2017-01-15. The record’s later modified date (2026-05-13) indicates database update activity and should not be treated as the original issue date.