CVE-2007-2289

Name of the Vulnerable Software and Affected Versions Download-Engine version 1.4.1

Description The issue allows remote authenticated users to execute arbitrary PHP code via a URL in the spaw root parameter. This is a different vector than previously identified issues. The problem may be related to SPAW.

Recommendations For Download-Engine version 1.4.1, consider restricting access to the admin/includes/spaw/dialogs/insert link.php file until a patch is available. As a temporary workaround, avoid using the spaw root parameter in the affected URL to minimize the risk of exploitation.