Auction Weaver 1.0 through 1.04 does not properly validate the names of form fields, which allows remote attackers to delete arbitrary files and directories via a .. (dot dot) attack.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Auction_weaver | Cgi_script_center | 1.0 | 1.0 |
Auction_weaver | Cgi_script_center | 1.01 | 1.01 |
Auction_weaver | Cgi_script_center | 1.02 | 1.02 |
Auction_weaver | Cgi_script_center | 1.03 | 1.03 |
Auction_weaver | Cgi_script_center | 1.04 | 1.04 |