CVE-2006-4559

Name of the Vulnerable Software and Affected Versions YACS CMS version 6.6.1

Description The issue allows remote attackers to execute arbitrary PHP code via a URL in the context[path to root] parameter in several PHP files, including "articles/populate.php", "categories/category.php", "categories/populate.php", "comments/populate.php", "files/file.php", "sections/section.php", "sections/populate.php", "tables/populate.php", "users/user.php", and "users/populate.php".

Recommendations For YACS CMS version 6.6.1, consider restricting access to the vulnerable PHP files until a patch is available. As a temporary workaround, avoid using the context[path to root] parameter in the affected API endpoints.