CVE-2007-6218

Name of the Vulnerable Software and Affected Versions Ossigeno CMS version 2.2 pre1

Description The issue allows remote attackers to execute arbitrary PHP code via specific URL parameters. This can be achieved by manipulating the level parameter in various PHP files, including install module.php and uninstall module.php in upload/xax/admin/modules/ and upload/xax/ossigeno/admin/, as well as upload/xax/admin/patch/index.php. Additionally, the ossigeno parameter in ossigeno modules/ossigeno-catalogo/xax/ossigeno/catalogo/common.php is vulnerable.

Recommendations For Ossigeno CMS version 2.2 pre1, consider disabling the install module.php and uninstall module.php functions in upload/xax/admin/modules/ and upload/xax/ossigeno/admin/ until a patch is available. Also, restrict access to upload/xax/admin/patch/index.php and the ossigeno modules/ossigeno-catalogo/xax/ossigeno/catalogo/common.php file to minimize the risk of exploitation. Avoid using the level and ossigeno parameters in the affected API endpoints until the issue is resolved.