CVE-2009-2265
Severity CVSS v4.0:
Pending analysis
Type:
CWE-22
Path Traversal
Publication date:
05/07/2009
Last modified:
09/04/2025
Description
Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory.
Impact
Base Score 2.0
7.50
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:fckeditor:fckeditor:*:*:*:*:*:*:*:* | 2.6.4 (including) | |
| cpe:2.3:a:fckeditor:fckeditor:2.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fckeditor:fckeditor:2.0_fc:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fckeditor:fckeditor:2.0_rc2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fckeditor:fckeditor:2.0rc2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fckeditor:fckeditor:2.0rc3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fckeditor:fckeditor:2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fckeditor:fckeditor:2.1.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fckeditor:fckeditor:2.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fckeditor:fckeditor:2.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fckeditor:fckeditor:2.3:beta:*:*:*:*:*:* | ||
| cpe:2.3:a:fckeditor:fckeditor:2.3.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fckeditor:fckeditor:2.3.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fckeditor:fckeditor:2.3.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:fckeditor:fckeditor:2.4:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://isc.sans.org/diary.html?storyid=6724
- http://mail.zope.org/pipermail/zope-dev/2009-July/037195.html
- http://packetstormsecurity.com/files/163271/Adobe-ColdFusion-8-Remote-Command-Execution.html
- http://secunia.com/advisories/35833
- http://secunia.com/advisories/35909
- http://sourceforge.net/project/shownotes.php?release_id=695430
- http://www.debian.org/security/2009/dsa-1836
- http://www.ocert.org/advisories/ocert-2009-007.html
- http://www.securityfocus.com/archive/1/504721/100/0/threaded
- http://www.securitytracker.com/id?1022513=
- http://www.vupen.com/english/advisories/2009/1813
- http://www.vupen.com/english/advisories/2009/1825
- https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00710.html
- https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00750.html
- http://isc.sans.org/diary.html?storyid=6724
- http://mail.zope.org/pipermail/zope-dev/2009-July/037195.html
- http://packetstormsecurity.com/files/163271/Adobe-ColdFusion-8-Remote-Command-Execution.html
- http://secunia.com/advisories/35833
- http://secunia.com/advisories/35909
- http://sourceforge.net/project/shownotes.php?release_id=695430
- http://www.debian.org/security/2009/dsa-1836
- http://www.ocert.org/advisories/ocert-2009-007.html
- http://www.securityfocus.com/archive/1/504721/100/0/threaded
- http://www.securitytracker.com/id?1022513=
- http://www.vupen.com/english/advisories/2009/1813
- http://www.vupen.com/english/advisories/2009/1825
- https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00710.html
- https://www.redhat.com/archives/fedora-package-announce/2009-July/msg00750.html