CVE-2009-2109

Name of the Vulnerable Software and Affected Versions FretsWeb version 1.2

Description The issue allows remote attackers to read arbitrary files due to multiple directory traversal vulnerabilities. This is achieved through directory traversal sequences in the language parameter to "charts.php" and the fretsweb language cookie parameter to unspecified vectors, possibly related to "admin/common.php".

Recommendations For FretsWeb version 1.2, consider restricting access to the "charts.php" and "admin/common.php" files until a patch is available. As a temporary workaround, avoid using the language parameter in the "charts.php" endpoint and the fretsweb language cookie parameter in affected requests.