CVE-2006-2331

Name of the Vulnerable Software and Affected Versions PHP-Fusion version 6.00.306

Description The issue concerns directory traversal vulnerabilities that allow remote attackers to include and execute arbitrary local files. This can be achieved through a .. (dot dot) in the settings[locale] parameter in the /infusions/last seen users panel/last seen users panel.php API endpoint, and a .. (dot dot) in the localeset parameter in the setup.php file. The vendor suggests that the problem might stem from issues in third-party local files.

Recommendations For PHP-Fusion version 6.00.306, consider restricting access to the infusions/last seen users panel/last seen users panel.php and setup.php files to minimize the risk of exploitation. Avoid using the settings[locale] and localeset parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.