CVE-2008-5272

Name of the Vulnerable Software and Affected Versions SyndeoCMS version 2.6.0

Description The issue allows remote authenticated users to read arbitrary files due to multiple directory traversal vulnerabilities. This is achieved by including a .. (dot dot) in the template parameter to specific API endpoints, such as "/starnet/editors/fckeditor/studenteditor.php", "/starnet/modules/sn news/edit content.php", and "/starnet/modules/sn newsletter/edit content.php", all of which can be reached through "/starnet/index.php".

Recommendations For SyndeoCMS version 2.6.0, as a temporary workaround, consider restricting access to the vulnerable template parameter in the affected API endpoints until a patch is available. Additionally, restrict access to the affected modules, such as "fckeditor", "sn news", and "sn newsletter", to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.