CVE-2006-2844

Name of the Vulnerable Software and Affected Versions Redaxo version 3.0

Description The issue allows remote attackers to execute arbitrary PHP code. This is achieved by exploiting remote file inclusion vulnerabilities via a URL in the REX[INCLUDE PATH] parameter to specific API endpoints, such as "simple user/pages/index.inc.php" and "stats/pages/index.inc.php".

Recommendations For Redaxo version 3.0, consider restricting access to the REX[INCLUDE PATH] parameter in the affected API endpoints to minimize the risk of exploitation. Additionally, avoid using the REX[INCLUDE PATH] parameter with untrusted input until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.