PT-2007-3446 · Ixon · Ixon Cms

Published

2007-04-18

Updated

2018-10-16

CVE-2007-2104

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions iXon CMS version 0.30

Description The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the theme url parameter to several API endpoints: "index.php", "page.php", "search.php", "single.php", and "archives.php".

Recommendations For iXon CMS version 0.30, consider restricting access to the theme url parameter in the affected API endpoints until a patch is available. As a temporary workaround, avoid using the theme url parameter with untrusted input in "index.php", "page.php", "search.php", "single.php", and "archives.php".

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2007-2104

Affected Products

Ixon Cms

PT-2007-3446 · Ixon · Ixon Cms

CVE-2007-2104

Related Identifiers

Affected Products

References · 9