CVE-2007-2104

Name of the Vulnerable Software and Affected Versions iXon CMS version 0.30

Description The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the theme url parameter to several API endpoints: "index.php", "page.php", "search.php", "single.php", and "archives.php".

Recommendations For iXon CMS version 0.30, consider restricting access to the theme url parameter in the affected API endpoints until a patch is available. As a temporary workaround, avoid using the theme url parameter with untrusted input in "index.php", "page.php", "search.php", "single.php", and "archives.php".