DescriptionIncomplete blacklist vulnerability in connector.php in FCKeditor 2.0 and 2.2, as used in products such as RunCMS, allows remote attackers to upload and execute arbitrary script files by giving the files specific extensions that are not listed in the Config[DeniedExtensions][File], such as .php.txt.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
moin (PTS)buster, buster (security)1.9.9-1+deb10u1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
karrigellsource(unstable)(not affected)
knowledgerootsource(unstable)(not affected)
moinsourceetch(not affected)


- knowledgeroot <not-affected> (fixed before first upload; see bug #381912)
[etch] - moin <not-affected> (Vulnerable php code not present)
- karrigell <not-affected> (Vulnerable php code not present)

Search for package or bug name: Reporting problems