It has been reported that TBE Banner Engine may be prone a server side script execution vulnerability. Due to improper sanitization of user-supplied data, an attacker may be able to pass malicious PHP script code via to the file the banner is stored in. It may also be possible to embed code from other server-side scripting languages that are supported by the underlying server, such as Server Side Includes. When the banner is viewed, the attacker-supplied code will be interpreted.
TBE Banner Engine versions 4.0 and 5.0 may be prone to this vulnerability.
No exploit is required.
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org <mailto:email@example.com>.