CVE-2007-3251

Name of the Vulnerable Software and Affected Versions: e-Vision CMS versions 2.02 and earlier

Description: The issue allows remote attackers to perform directory traversal attacks. This can be achieved in two ways: (1) by including and executing arbitrary local files via a .. (dot dot) in the adminlang cookie to "admin/functions.php", or (2) by reading arbitrary local files via the img parameter to "admin/show img.php".

Recommendations: For versions 2.02 and earlier, consider disabling access to "admin/functions.php" and "admin/show img.php" until a fix is available. Restrict the use of the adminlang cookie and the img parameter in the affected API endpoints to minimize the risk of exploitation.