CVE-2008-1409

Name of the Vulnerable Software and Affected Versions Exero CMS version 1.0.1

Description The issue concerns directory traversal vulnerabilities in the Default theme of Exero CMS. These vulnerabilities allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the theme parameter to various PHP files, including "index.php", "editpassword.php", "avatar.php", "custompage.php", "errors/404.php", "memberslist.php", "profile.php", "fullview.php", and "nopermission.php". The affected endpoints include "/usercp/", "/members/", "/news/", and others.

Recommendations For Exero CMS version 1.0.1, consider restricting access to the vulnerable PHP files until a patch is available. As a temporary workaround, avoid using the theme parameter in the affected API endpoints. Restrict access to the Default theme to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.