2004-09-01 04:00:00
mitre
PUBLISHED
class.atkdateattribute.js.php in Achievo 0.7.0 through 0.9.1, except 0.8.2, allows remote attackers to execute arbitrary PHP code when the allow_url_fopen setting is enabled via a URL in the config_atkroot parameter that points to the code.