PT-2007-7107 · Ossigeno · Ossigeno Cms
Publicado
2007-12-04
·
Atualizado
2008-11-15
·
CVE-2007-6218
CVSS v2.0
5.0
Média
| Vetor | AV:N/AC:L/Au:N/C:N/I:N/A:P |
Name of the Vulnerable Software and Affected Versions
Ossigeno CMS version 2.2 pre1
Description
The issue allows remote attackers to execute arbitrary PHP code via specific URL parameters. This can be achieved by manipulating the
level parameter in various PHP files, including install module.php and uninstall module.php in upload/xax/admin/modules/ and upload/xax/ossigeno/admin/, as well as upload/xax/admin/patch/index.php. Additionally, the ossigeno parameter in ossigeno modules/ossigeno-catalogo/xax/ossigeno/catalogo/common.php is vulnerable.Recommendations
For Ossigeno CMS version 2.2 pre1, consider disabling the
install module.php and uninstall module.php functions in upload/xax/admin/modules/ and upload/xax/ossigeno/admin/ until a patch is available. Also, restrict access to upload/xax/admin/patch/index.php and the ossigeno modules/ossigeno-catalogo/xax/ossigeno/catalogo/common.php file to minimize the risk of exploitation. Avoid using the level and ossigeno parameters in the affected API endpoints until the issue is resolved.Exploit
Correção
RCE
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Ossigeno Cms