CVE-2012-0987

Name of the Vulnerable Software and Affected Versions ImpressCMS versions 1.2.x through 1.2.6 and versions 1.3.x through 1.3.0

Description The issue allows remote authenticated users to include and execute arbitrary local files. This is achieved by exploiting a directory traversal vulnerability in the edituser.php file, specifically by using a .. (dot dot) in the icmsConfigPlugins[sanitizer plugins][] parameter.

Recommendations For ImpressCMS versions 1.2.x through 1.2.6, update to version 1.2.7 Final or later. For ImpressCMS versions 1.3.x through 1.3.0, update to version 1.3.1 Final or later.