The variable $filename can be controlled by $_GET['scan']. By concatenating $filename with $filepath and passing it directly into the unlink function, it can lead to arbitrary file deletion vulnerability.
To fix this vulnerability, we recommend that developers implement properly sanitize for user input before displaying it on the webpage.
Recently, our team found a Arbitrary file deletion vulnerability The vulnerability logic is present in the file: https://github.com/LibreHealthIO/lh-ehr/blob/master/interface/fax/fax_dispatch.php#L49 https://github.com/LibreHealthIO/lh-ehr/blob/master/interface/fax/fax_dispatch.php#L50 https://github.com/LibreHealthIO/lh-ehr/blob/master/interface/fax/fax_dispatch.php#L315
The variable
$filenamecan be controlled by$_GET['scan']. By concatenating $filename with$filepathand passing it directly into theunlinkfunction, it can lead to arbitrary file deletion vulnerability.To fix this vulnerability, we recommend that developers implement properly sanitize for user input before displaying it on the webpage.