CVE-2014-7228

Name of the Vulnerable Software and Affected Versions Akeeba Restore versions 2.5.4 through 2.5.25 Akeeba Restore versions 3.x through 3.2.5 Akeeba Restore versions 3.3.0 through 3.3.4 Akeeba Backup for Joomla! Professional versions 3.0.0 through 4.0.2 Backup Professional for WordPress versions 1.0.b1 through 1.1.3 Solo versions 1.0.b1 through 1.1.2 Admin Tools Core and Professional versions 2.0.0 through 2.4.4 CMS Update versions 1.0.a1 through 1.0.1

Description The issue allows remote attackers to bypass encryption and execute arbitrary code via a command message that extracts a crafted archive. This occurs when the software is performing a backup or update for an archive and does not properly delete parameters from $ GET and $ POST when cleansing $ REQUEST. Later, it accesses $ GET and $ POST using the getQueryParam function, enabling the exploitation.

Recommendations For Akeeba Restore versions 2.5.4 through 2.5.25, update to a version that properly cleanses $ REQUEST. For Akeeba Restore versions 3.x through 3.2.5, update to a version that properly cleanses $ REQUEST. For Akeeba Restore versions 3.3.0 through 3.3.4, update to a version that properly cleanses $ REQUEST. For Akeeba Backup for Joomla! Professional versions 3.0.0 through 4.0.2, update to a version that properly cleanses $ REQUEST. For Backup Professional for WordPress versions 1.0.b1 through 1.1.3, update to a version that properly cleanses $ REQUEST. For Solo versions 1.0.b1 through 1.1.2, update to a version that properly cleanses $ REQUEST. For Admin Tools Core and Professional versions 2.0.0 through 2.4.4, update to a version that properly cleanses $ REQUEST. For CMS Update versions 1.0.a1 through 1.0.1, update to a version that properly cleanses $ REQUEST.