CVE-2007-6188

Name of the Vulnerable Software and Affected Versions TuMusika Evolution version 1.7R5

Description The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the language parameter to API endpoints such as "languages n.php", "languages f.php", or "languages.php" in the inc/ directory. Additionally, it allows remote attackers to read arbitrary local files via a .. (dot dot) in the uri parameter to the "frames/nogui/sc download.php" endpoint.

Recommendations For TuMusika Evolution version 1.7R5, consider disabling access to the vulnerable API endpoints "languages n.php", "languages f.php", "languages.php", and "frames/nogui/sc download.php" until a patch is available. Restrict the use of the language and uri parameters in these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.