CVE-2006-4920

Name of the Vulnerable Software and Affected Versions Site@School versions 2.4.02 and earlier

Description The issue allows remote attackers to execute arbitrary PHP code. This can be achieved by providing a URL in the cmsdir parameter to specific API endpoints, such as "/starnet/modules/sn allbum/slideshow.php" and "/starnet/themes/editable/main.inc.php".

Recommendations For Site@School versions 2.4.02 and earlier, consider restricting access to the cmsdir parameter in the affected API endpoints until a patch is available. As a temporary workaround, disable the execution of remote PHP code in the slideshow.php and main.inc.php files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.