CVE-2006-2928

Name of the Vulnerable Software and Affected Versions CMS-Bandits versions 2.5 and earlier

Description The issue allows remote attackers to execute arbitrary PHP code when register globals is enabled. This is achieved via a URL in the spaw root parameter in the following API endpoints: "dialogs/img.php" and "dialogs/td.php".

Recommendations For CMS-Bandits versions 2.5 and earlier, consider disabling the register globals setting to prevent exploitation until a patch is available. Restrict access to the dialogs/img.php and dialogs/td.php endpoints to minimize the risk of arbitrary PHP code execution. Avoid using the spaw root parameter in these endpoints until the issue is resolved.