CVE-2006-4591

Name of the Vulnerable Software and Affected Versions AlstraSoft Template Seller versions prior to the fixed version AltraSoft Template Seller Pro version 3.25

Description The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by providing a URL in the config[template path] parameter to specific API endpoints, such as "/payment/payment result.php" or "/payment/spuser result.php".

Recommendations For AlstraSoft Template Seller versions prior to the fixed version, update to the fixed version to resolve the issue. For AltraSoft Template Seller Pro version 3.25, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the payment result.php and spuser result.php files until a patch is available. Avoid using the config[template path] parameter in the affected API endpoints until the issue is resolved.