Unrated severityNVD Advisory· Published Feb 10, 2006· Updated Apr 16, 2026
CVE-2006-0644
CVE-2006-0644
Description
Multiple directory traversal vulnerabilities in install.php in CPG-Nuke Dragonfly CMS (aka CPG Dragonfly CMS) 9.0.6.1 allow remote attackers to include and execute arbitrary local files via directory traversal sequences and a NUL (%00) character in (1) the newlang parameter and (2) the installlang parameter in a cookie, as demonstrated by using error.php to insert malicious code into a log file, or uploading a malicious .png file, which is then included using install.php.
Affected products
1- cpe:2.3:a:cpg-nuke:dragonfly_cms:9.0.6_.1:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- retrogod.altervista.org/dragonfly9.0.6.1_incl_xpl.htmlnvdExploit
- www.securityfocus.com/bid/16546nvdExploit
- dragonflycms.org/Forums/viewtopic/p=98034.htmlnvd
- dragonflycms.org/Forums/viewtopic/p=98034.htmlnvd
- securitytracker.com/idnvd
- www.osvdb.org/23058nvd
- www.securityfocus.com/archive/1/424439/100/0/threadednvd
- exchange.xforce.ibmcloud.com/vulnerabilities/24660nvd
News mentions
0No linked articles in our index yet.