Support Incident Tracker <= 3.65 PHP Code Injection Vulnerability

Description:

Support Incident Tracker contains a flaw that allows authenticated users to inject and execute arbitrary PHP code. Input passed via keys of the $_POST array to the translate.php script is not properly sanitized before being stored in a file with a .php extension into the ‘i18n’ directory.

References:

• CVE-2011-4337
• BID-50742
• EDB-18132

Disclosure Date:

November 19, 2011