CVE-2008-1409

Multiple directory traversal vulnerabilities in the Default theme in Exero CMS 1.0.1 allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the theme parameter to (1) index.php, (2) editpassword.php, and (3) avatar.php in usercp/; (4) custompage.php; (5) errors/404.php; (6) memberslist.php and (7) profile.php in members/; (8) index.php and (9) fullview.php in news/; and (10) nopermission.php.

Published: Mar 20, 2008
Updated: Apr 13, 2023
CVE: CVE-2008-1409
Severity: High
Exploit:

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
exero / exero_cms	1.0.1	1.0.1.x

http://www.securityfocus.com/bid/28273
http://www.vupen.com/english/advisories/2008/0909/references
https://exchange.xforce.ibmcloud.com/vulnerabilities/41238
https://www.exploit-db.com/exploits/5265

Vulnerability Database

291,049

CVE-2008-1409