Name | CVE-2009-2265 |
Description | Multiple directory traversal vulnerabilities in FCKeditor before 2.6.4.1 allow remote attackers to create executable files in arbitrary directories via directory traversal sequences in the input to unspecified connector modules, as exploited in the wild for remote code execution in July 2009, related to the file browser and the editor/filemanager/connectors/ directory. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DSA-1836-1 |
Debian Bugs | 536051, 538722 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
moin (PTS) | jessie, jessie (lts) | 1.9.8-1+deb8u2 | fixed |
| stretch (security), stretch (lts), stretch | 1.9.9-1+deb9u2 | fixed |
| buster (security), buster, buster (lts) | 1.9.9-1+deb10u1 | fixed |
The information below is based on the following data on fixed versions.
Notes
http://dev.fckeditor.net/changeset/3815/FCKeditor/trunk/editor/filemanager
moin from 1.8.2-2 uses systemwide copy of fckeditor
[etch] - moin <not-affected> (Vulnerable code not present)
moin in lenny provides FCKeditor as example files (/usr/share/doc)
- request-tracker3.8 <not-affected> (Vulnerable code not present)
[etch] - gforge <not-affected> (doesn't contain FCKeditor)
[etch] - karrigell <not-affected> (Vulnerable code not present)
knowledgeroot from 0.9.8.5-3 uses systemwide copy of fckeditor