CVE-2006-4276

Name of the Vulnerable Software and Affected Versions Tutti Nova versions 1.6 and earlier

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the TNLIB DIR parameter to "novalib/class.novaEdit.mysql.php" API endpoint.

Recommendations For Tutti Nova versions 1.6 and earlier, as a temporary workaround, consider restricting access to the novalib/class.novaEdit.mysql.php endpoint until a patch is available. Avoid using the TNLIB DIR parameter in the affected endpoint until the issue is resolved.