CVE-2009-4793

Name of the Vulnerable Software and Affected Versions BandSite CMS version 1.1.4

Description The issue allows remote authenticated administrators to execute arbitrary PHP code by uploading a file with an executable extension via an "addphotos" action to "adminpanel/index.php", and then accessing the file via a direct request with an "images/gallery/" directory name.

Recommendations For BandSite CMS version 1.1.4, consider restricting access to the "adminpanel/scripts/addphotos.php" script to prevent unauthorized file uploads until a patch is available. As a temporary workaround, restrict the ability to upload files with executable extensions in the "addphotos" action to minimize the risk of exploitation.