CVE-2007-5148

Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.12 allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/logout.php or certain PHP scripts under (2) admin/, (3) dimensions/, (4) gl/, (5) inventory/, (6) manufacturing/, (7) purchasing/, (8) reporting/, (9) sales/, or (10) taxes/. NOTE: the config.php vector is already covered by CVE-2007-4279, and the login.php and language.php vectors are already covered by CVE-2007-5117. NOTE: this issue is disputed by CVE because path_to_root is defined before use in all of the other files reported in the original disclosure
Configurations

Configuration 1 (hide)

cpe:2.3:a:frontaccounting:frontaccounting:1.12:*:*:*:*:*:*:*

History

21 Nov 2024, 00:37

Type Values Removed Values Added
References () http://arfis.wordpress.com/2007/09/14/rfi-02-frontaccounting/ - () http://arfis.wordpress.com/2007/09/14/rfi-02-frontaccounting/ -
References () http://osvdb.org/45524 - () http://osvdb.org/45524 -

07 Nov 2023, 02:01

Type Values Removed Values Added
Summary ** DISPUTED ** Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.12 allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/logout.php or certain PHP scripts under (2) admin/, (3) dimensions/, (4) gl/, (5) inventory/, (6) manufacturing/, (7) purchasing/, (8) reporting/, (9) sales/, or (10) taxes/. NOTE: the config.php vector is already covered by CVE-2007-4279, and the login.php and language.php vectors are already covered by CVE-2007-5117. NOTE: this issue is disputed by CVE because path_to_root is defined before use in all of the other files reported in the original disclosure. Multiple PHP remote file inclusion vulnerabilities in FrontAccounting (FA) 1.12 allow remote attackers to execute arbitrary PHP code via a URL in the path_to_root parameter to (1) access/logout.php or certain PHP scripts under (2) admin/, (3) dimensions/, (4) gl/, (5) inventory/, (6) manufacturing/, (7) purchasing/, (8) reporting/, (9) sales/, or (10) taxes/. NOTE: the config.php vector is already covered by CVE-2007-4279, and the login.php and language.php vectors are already covered by CVE-2007-5117. NOTE: this issue is disputed by CVE because path_to_root is defined before use in all of the other files reported in the original disclosure

Information

Published : 2007-10-01 05:17

Updated : 2024-11-21 00:37


NVD link : CVE-2007-5148

Mitre link : CVE-2007-5148

CVE.ORG link : CVE-2007-5148


JSON object : View

Products Affected

frontaccounting

  • frontaccounting
CWE
CWE-94

Improper Control of Generation of Code ('Code Injection')