CVE-2009-4088

Name of the Vulnerable Software and Affected Versions telepark.wiki versions 2.4.23 and earlier

Description The issue allows remote attackers to read arbitrary files and include and execute arbitrary local files. This is achieved through directory traversal sequences in the css parameter to API endpoints such as "getjs.php" and "getcsslocal.php", and via the group parameter to "upload.php".

Recommendations For telepark.wiki versions 2.4.23 and earlier, update to a version later than 2.4.23 to resolve the issue. As a temporary workaround, consider restricting access to the "getjs.php", "getcsslocal.php", and "upload.php" API endpoints until a patch is available. Avoid using the css and group parameters in the affected API endpoints until the issue is resolved.