CVE-2017-5539 B2evolution CVE debrief

Who should care

Administrators, developers, and security teams running b2evolution 6.8.4-stable, especially on internet-facing systems or any deployment that stores sensitive files on the server.

Technical summary

NVD classifies this issue as CWE-22 and maps it to b2evolution 6.8.4 as vulnerable. The supplied description says the fix for CVE-2017-5480 was bypassed with `..\/`, allowing file read, file deletion, and file-existence checks. The CVSS 3.0 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) indicates network-reachable exploitation with no privileges or user interaction required, and high confidentiality and integrity impact.

Defensive priority

Critical — prioritize immediate remediation for any exposed b2evolution 6.8.4-stable instance.

Recommended defensive actions

• Upgrade b2evolution to the vendor-referenced fixed release, 6.8.5.
• Confirm whether any b2evolution 6.8.4-stable instances are deployed and treat them as affected until patched.
• Review logs and file-system activity for signs of unexpected file access, deletion, or path traversal attempts.
• Re-test application path handling after patching to confirm the traversal bypass is no longer possible.

Evidence notes

The supplied NVD record was published on 2017-01-23 and last modified on 2026-05-13. It references a vendor advisory for 6.8.5, a related GitHub fix commit, and an issue tracker entry. The CVSS vector and CWE-22 classification come from the official NVD data, and the vulnerability scope is limited here to the supplied b2evolution 6.8.4-stable reference.

Official resources