Unrated severityNVD Advisory· Published Jun 3, 2008· Updated Apr 23, 2026

CVE-2008-2520

Description

Multiple PHP remote file inclusion vulnerabilities in BigACE 2.4, when register_globals is enabled, allow remote attackers to execute arbitrary PHP code via a URL in the (1) GLOBALS[_BIGACE][DIR][addon] parameter to (a) addon/smarty/plugins/function.captcha.php and (b) system/classes/sql/AdoDBConnection.php; and the (2) GLOBALS[_BIGACE][DIR][admin] parameter to (c) item_information.php and (d) jstree.php in system/application/util/, and (e) system/admin/plugins/menu/menuTree/plugin.php, different vectors than CVE-2006-4423.

Affected products

Bigace/Bigace
cpe:2.3:a:bigace:bigace:2.4:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

secunia.com/advisories/30183nvdPatchVendor Advisory
www.securityfocus.com/bid/29157nvdPatch
exchange.xforce.ibmcloud.com/vulnerabilities/42343nvd
www.exploit-db.com/exploits/5596nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.004
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000