CVE-2008-6983

Name of the Vulnerable Software and Affected Versions devalcms version 1.4a

Description The issue allows remote attackers to execute arbitrary PHP code via the HTTP Referer header. This is achieved by specifying a target file in the gv folder data parameter. The exploitation can be demonstrated by modifying the modules/tool/url2header.php file.

Recommendations For devalcms version 1.4a, consider restricting access to the modules/tool/hitcounter.php file until a patch is available. As a temporary workaround, avoid using the gv folder data parameter in the affected module to minimize the risk of exploitation.