CVE-2010-1342

Published: Apr 9, 2010Modified: Apr 29, 2026

6.8

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability: 8.6 / Impact: 6.4

Source: NVD

Description

Multiple PHP remote file inclusion vulnerabilities in Direct News 4.10.2, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the rootpath parameter to (1) admin/menu.php and (2) library/lib.menu.php; and the adminroot parameter to (3) admin/media/update_content.php and (4) library/class.backup.php. NOTE: some of these details are obtained from third party information.

Affected (1)

Products: Directnews: Direct News

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Directnews Direct News	Version 4.10.2

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (6)

http://secunia.com/advisories/39106

Source: cve@mitre.org

Vendor Advisory

http://www.exploit-db.com/exploits/11882

Source: cve@mitre.org

Exploit

http://www.securityfocus.com/bid/38975

Source: cve@mitre.org

Exploit

http://secunia.com/advisories/39106

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.exploit-db.com/exploits/11882

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

http://www.securityfocus.com/bid/38975

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

Timeline

No history available yet.