Description

thumbsup.php in Thumbs-Up 1.12, as used in LightNEasy "no database" (aka flat) and SQLite 1.2.2 and earlier, allows remote attackers to copy, rename, and read arbitrary files via directory traversal sequences in the image parameter with a modified cache_dir parameter containing a %00 (encoded null byte).

Remediation

References

CVE-2008-6592

Related Vulnerabilities

WordPress Plugin Post SMTP-WP SMTP with Email Logs & Mobile App for Failure Alerts-Any SMTP Plus Gmail SMTP, Office 365, Brevo, Mailgun, Amazon SES, Postmark Cross-Site Scripting (2.1.3)

WordPress Plugin JobSearch WP Job Board Cross-Site Scripting (1.5.4)

MySQL CVE-2020-14559 Vulnerability (CVE-2020-14559)

WebLogic CVE-2019-2827 Vulnerability (CVE-2019-2827)

Jenkins Session Fixation Vulnerability (CVE-2021-21671)

Severity

High

Classification

CVE-2008-6592 CWE-22

Tags

Missing Update Known Vulnerabilities