Description
Multiple PHP remote file inclusion vulnerabilities in SmartISoft phpListPro 2.01 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the returnpath parameter in (1) editsite.php, (2) addsite.php, and (3) in.php. NOTE: The config.php vector is already covered by CVE-2006-1749.
Exploits (1)
exploitdb
WORKING POC
VERIFIED
by Aesthetico · textwebappsphp
https://www.exploit-db.com/exploits/1769
References (10)
Core 10
Core References
Third Party Advisory third-party-advisory
x_refsource_sreason
http://securityreason.com/securityalert/882
Third Party Advisory third-party-advisory
x_refsource_sreason
http://securityreason.com/securityalert/688
Third Party Advisory third-party-advisory
x_refsource_sreason
http://securityreason.com/securityalert/156
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://securitytracker.com/id?1016060
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/26359
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/433562/100/0/threaded
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/433285/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://www.osvdb.org/25905
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://www.osvdb.org/25904
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://www.osvdb.org/25906
Scores
EPSS
0.1150
EPSS Percentile
93.7%
Details
Status
published
Products (2)
smartisoft/phplistpro
2.0
smartisoft/phplistpro
< 2.01
Published
May 12, 2006
Tracked Since
Feb 18, 2026