PT-2007-3622 · Download Engine · Download-Engine
Published
2007-04-26
·
Updated
2018-10-16
·
CVE-2007-2289
CVSS v2.0
7.5
High
| Vector | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
Download-Engine version 1.4.1
Description
The issue allows remote authenticated users to execute arbitrary PHP code via a URL in the
spaw root parameter. This is a different vector than previously identified issues. The problem may be related to SPAW.Recommendations
For Download-Engine version 1.4.1, consider restricting access to the
admin/includes/spaw/dialogs/insert link.php file until a patch is available. As a temporary workaround, avoid using the spaw root parameter in the affected URL to minimize the risk of exploitation.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Download-Engine