CVE-2006-0658

critical

Description

Incomplete blacklist vulnerability in connector.php in FCKeditor 2.0 and 2.2, as used in products such as RunCMS, allows remote attackers to upload and execute arbitrary script files by giving the files specific extensions that are not listed in the Config[DeniedExtensions][File], such as .php.txt.

References

https://www.exploit-db.com/exploits/3702

http://www.vupen.com/english/advisories/2006/0502

http://secunia.com/advisories/18767

Details

Source: Mitre, NVD

Published: 2006-02-13

Updated: 2026-04-16

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.05676