Unrated severityNVD Advisory· Published Jun 4, 2009· Updated Apr 23, 2026

CVE-2009-1912

Description

Directory traversal vulnerability in src/func/language.php in webSPELL 4.2.0e and earlier allows remote attackers to include and execute arbitrary local .php files via a .. (dot dot) in a language cookie. NOTE: this can be leveraged for SQL injection by including awards.php.

Affected products

Webspell/Webspell11 versions
cpe:2.3:a:webspell:webspell:4.0.2c:*:*:*:*:*:*:*+ 10 more
- cpe:2.3:a:webspell:webspell:4.0.2c:*:*:*:*:*:*:*
- cpe:2.3:a:webspell:webspell:4.1:*:*:*:*:*:*:*
- cpe:2.3:a:webspell:webspell:4.01.00:*:*:*:*:*:*:*
- cpe:2.3:a:webspell:webspell:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:webspell:webspell:4.01.01:*:*:*:*:*:*:*
- cpe:2.3:a:webspell:webspell:4.01.02:*:*:*:*:*:*:*
- cpe:2.3:a:webspell:webspell:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:webspell:webspell:4.2.0c:*:*:*:*:*:*:*
- cpe:2.3:a:webspell:webspell:4.2.0d:*:*:*:*:*:*:*
- cpe:2.3:a:webspell:webspell:*:*:*:*:*:*:*:*range: <=4.2.0e
- cpe:2.3:a:webspell:webspell:4.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.osvdb.org/54296nvdPatch
www.webspell.orgnvdPatch
www.webspell.org/index.phpnvdPatch
www.webspell.org/index.phpnvdPatch
www.securityfocus.com/bid/34862nvdExploitPatch
secunia.com/advisories/35016nvdVendor Advisory
osvdb.org/54295nvd
exchange.xforce.ibmcloud.com/vulnerabilities/50395nvd
www.exploit-db.com/exploits/8622nvd

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.001
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000