CVE-2006-5459
published 2006-10-23CVE-2006-5459: Multiple PHP remote file inclusion vulnerabilities in Download-Engine 1.4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the…
PriorityP431high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
1.22%
64.8th percentile
Multiple PHP remote file inclusion vulnerabilities in Download-Engine 1.4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) $_ENGINE[eng_dir] and possibly (2) spaw_root parameters in admin/includes/spaw/spaw_script.js.php, and the (3) $_ENGINE[eng_dir], (4) $spaw_root, (5) $spaw_dir, and (6) $spaw_base_url parameters in admin/includes/spaw/config/spaw_control.config.php, different vectors than CVE-2006-5291. NOTE: CVE analysis as of 20061021 is inconclusive, but suggests that some or all of the suggested attack vectors are ineffective.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alex | downloadengine | <= 1.4.2 | — |
| alexscriptengine | download-engine | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5mhv-62mq-c5pf: Multiple PHP remote file inclusion vulnerabilities in Download-Engine 1
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2007-2255 [HIGH] GHSA-5mhv-62mq-c5pf: Multiple PHP remote file inclusion vulnerabilities in Download-Engine 1
Multiple PHP remote file inclusion vulnerabilities in Download-Engine 1.4.3 allow remote attackers to execute arbitrary PHP code via a URL in the (1) eng_dir parameter to addmember.php, (2) lang_path parameter to admin/enginelib/class.phpmailer.php, and the (3) spaw_root parameter to admin/includes/spaw/dialogs/colorpicker.php, different vectors than CVE-2006-5291 and CVE-2006-5459. NOTE: vector 3 might be an issue in SPAW.
GHSA
GHSA-qmc5-93wf-hh65: Multiple PHP remote file inclusion vulnerabilities in Download-Engine 1
ghsa_unreviewed·2022-05-01·CVSS 7.5
CVE-2006-5459 [HIGH] GHSA-qmc5-93wf-hh65: Multiple PHP remote file inclusion vulnerabilities in Download-Engine 1
Multiple PHP remote file inclusion vulnerabilities in Download-Engine 1.4.2 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) $_ENGINE[eng_dir] and possibly (2) spaw_root parameters in admin/includes/spaw/spaw_script.js.php, and the (3) $_ENGINE[eng_dir], (4) $spaw_root, (5) $spaw_dir, and (6) $spaw_base_url parameters in admin/includes/spaw/config/spaw_control.config.php, different vectors than CVE-2006-5291. NOTE: CVE analysis as of 20061021 is inconclusive, but suggests that some or all of the suggested attack vectors are ineffective.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2006-10-23
Published