CVE-2008-1409 Information

Description

Multiple directory traversal vulnerabilities in the Default theme in Exero CMS 1.0.1 allow remote attackers to include and execute arbitrary local files via directory traversal sequences in the theme parameter to (1) index.php (2) editpassword.php and (3) avatar.php in usercp/; (4) custompage.php; (5) errors/404.php; (6) memberslist.php and (7) profile.php in members/; (8) index.php and (9) fullview.php in news/; and (10) nopermission.php.

Reference

http://www.securityfocus.com/bid/28273 http://www.vupen.com/english/advisories/2008/0909/references https://exchange.xforce.ibmcloud.com/vulnerabilities/41238 https://www.exploit-db.com/exploits/5265