artmedic newsletter 4.1 and possibly other versions, when register_globals is enabled, allows remote attackers to modify arbitrary files and execute arbitrary PHP code via the logfile parameter in a direct request to log.php, which causes the $logfile variable to be redefined to an attacker-controlled value, as demonstrated by injecting PHP code into info.php.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Artmedic_newsletter | Artmedic_webdesign | 4.1 (including) | 4.1 (including) |