CVE-2007-2630

Name of the Vulnerable Software and Affected Versions ActiveCampaign 1-2-All (aka 12All) versions 4.50 through 4.53.13

Description The issue is related to an incomplete blacklist vulnerability in the FCKeditor module, specifically in the filemanager/browser/default/connectors/php/config.php file. This allows remote authenticated administrators to upload and possibly execute .php4 and .php5 files. The vulnerability can be reached through the filemanager/browser/default/browser.html file.

Recommendations For ActiveCampaign 1-2-All (aka 12All) versions 4.50 through 4.53.13, consider restricting access to the filemanager/browser/default/connectors/php/config.php file and the filemanager/browser/default/browser.html file to prevent potential exploitation. As a temporary workaround, consider disabling the upload functionality for .php4 and .php5 files in the FCKeditor module until a patch is available.