CVE-2006-4285

Fscripts Fantastic News - Code Injection

Title source: rule

Description

PHP remote file inclusion vulnerability in news.php in Fantastic News 2.1.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the CONFIG[script_path] parameter. NOTE: it was later reported that 2.1.5 is also affected.

Exploits (1)

exploitdb WORKING POC VERIFIED

by SHiKaA · textwebappsphp

https://www.exploit-db.com/exploits/2221

View Code ZIP pw:eip

References (7)

Core 7

Core References

Exploit, Patch vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/19613

Vendor Advisory vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2006/3336

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/2221

Exploit, Patch, Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/21571

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/28469

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/457680/100/0/threaded

Patch x_refsource_misc

http://fscripts.com/index.php

Scores

EPSS 0.1475

EPSS Percentile 94.5%

Details

CWE

CWE-94

Status published

Products (4)

fscripts/fantastic_news 2.1.1

fscripts/fantastic_news 2.1.2

fscripts/fantastic_news 2.1.3

fscripts/fantastic_news 2.1.5

Published Aug 22, 2006

Tracked Since Feb 18, 2026