Unrated severityNVD Advisory· Published Oct 6, 2007· Updated Apr 23, 2026

CVE-2007-5253

Description

c32web.exe in McMurtrey/Whitaker Cart32 before 6.4 allows remote attackers to read arbitrary files via the ImageName parameter in a GetImage action, by appending a NULL byte (%00) sequence followed by an image file extension, as demonstrated by a request for a ".txt%00.gif" file. NOTE: this might be a directory traversal vulnerability.

Affected products

Mcmurtrey Whitaker And Associates/Cart32
cpe:2.3:a:mcmurtrey_whitaker_and_associates:cart32:*:*:*:*:*:*:*:*
Range: <=6.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

osvdb.org/38580nvd
secunia.com/advisories/27061nvd
securityreason.com/securityalert/3194nvd
www.cart32.com/whatsnew.aspnvd
www.security-assessment.com/files/advisories/2007-10-04_Cart32_Arbitrary_File_Download.pdfnvd
www.securityfocus.com/archive/1/481489/100/0/threadednvd
www.securityfocus.com/bid/25928nvd
exchange.xforce.ibmcloud.com/vulnerabilities/36954nvd
www.exploit-db.com/exploits/30639/nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.008
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000