CVE-2008-3926

Name of the Vulnerable Software and Affected Versions Content Management Made Easy (CMME) version 1.12

Description The issue allows remote attackers to read arbitrary files or create arbitrary directories. This can be achieved by exploiting directory traversal vulnerabilities, specifically by using a .. (dot dot) in the env parameter. For file reading, this can be done in a weblog action to "index.php". For directory creation, this can be done in a login action to "admin.php".

Recommendations For Content Management Made Easy (CMME) version 1.12, consider restricting access to the env parameter in both the weblog action to "index.php" and the login action to "admin.php" to prevent directory traversal attacks. As a temporary workaround, restrict the use of the env parameter until a patch is available.