CVE-2010-2132

Name of the Vulnerable Software and Affected Versions Open Education System (OES) version 0.1 beta

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the CONF INCLUDE PATH parameter to various PHP files, including (1) 'forum/admin.php', (2) 'plotgraph/index.php' in 'admin/modules/modules/', and (3) 'admin user/mod admuser.php' and (4) 'ogroup/mod group.php' in 'admin/modules/user account/'.

Recommendations For Open Education System (OES) version 0.1 beta, consider restricting access to the CONF INCLUDE PATH parameter in the affected PHP files until a patch is available. As a temporary workaround, avoid using the CONF INCLUDE PATH parameter in the specified API endpoints, such as 'forum/admin.php' and 'plotgraph/index.php', until the issue is resolved. Restrict access to the vulnerable modules, including 'admin user/mod admuser.php' and 'ogroup/mod group.php', to minimize the risk of exploitation.