Vinny Guido

**Name of the Vulnerable Software and Affected Versions** FCKeditor versions prior to 2.6.4.1 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via components in the samples directory. **Recommendations** For versions prior to 2.6.4.1, update to version 2.6.4.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** FCKeditor versions prior to 2.6.4.1 **Description** The issue is related to multiple directory traversal vulnerabilities that allow remote attackers to create executable files in arbitrary directories. This is achieved through directory traversal sequences in the input to unspecified connector modules. The vulnerability is related to the file browser and the editor/filemanager/connectors/ directory. It has been exploited in the wild for remote code execution. The vulnerability is also associated with incorrect restriction of the path name to a directory with limited access, which may allow a remote attacker to upload arbitrary files. **Recommendations** For FCKeditor versions prior to 2.6.4.1, update to version 2.6.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the file browser and the editor/filemanager/connectors/ directory to minimize the risk of exploitation. Avoid using the vulnerable connector modules until the issue is resolved.