CVE-2020-29555: 
PHP vulnerability analysis and mitigation

CVE-2020-29555 affects the BackupDelete functionality in Grav CMS through version 1.7.0-rc.17. The vulnerability was discovered and disclosed in December 2020, with the NVD publication date being March 15, 2021. This security flaw affects the Grav Content Management System and allows both authenticated and unauthenticated attackers to delete arbitrary files on the underlying server (NVD, CVE).

The vulnerability is classified as a path traversal vulnerability (CWE-22) that allows attackers to delete arbitrary files on the server by exploiting a path-traversal technique in the BackupDelete functionality. The vulnerability has received a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H. The vulnerability is made more severe by the lack of CSRF protection, which enables exploitation by unauthenticated attackers (NVD).

The vulnerability allows attackers to delete arbitrary files on the underlying server, which could lead to system disruption, data loss, and potential denial of service. The high CVSS score reflects the significant potential impact on system integrity and availability (NVD).

Users should upgrade their Grav CMS installation to a version newer than 1.7.0-rc.17 which contains patches for this vulnerability (NVD).