Abdi Mohamed

**Name of the Vulnerable Software and Affected Versions** Zwii version 2.1.1 **Description** A directory traversal issue exists when `magic quotes gpc` is disabled and `register globals` is enabled, allowing remote attackers to include and execute arbitrary local files via directory traversal sequences in the `set[template][value]` parameter. **Recommendations** For Zwii version 2.1.1, consider disabling the `register globals` setting and enabling `magic quotes gpc` to mitigate the risk of exploitation. Additionally, restrict access to the `system/system.php` file to minimize the risk of arbitrary file inclusion. Avoid using the `set[template][value]` parameter in the affected API endpoint until the issue is resolved.