Dickysofficial

**Name of the Vulnerable Software and Affected Versions** Faveo version 1.9.3 **Description** The issue allows for CSRF, potentially resulting in obtaining admin privileges. The affected endpoint is "public/rolechangeadmin". **Recommendations** For Faveo version 1.9.3, update to a version that includes a fix for this issue to prevent CSRF attacks. As a temporary workaround, consider implementing CSRF protection measures to restrict access to the "public/rolechangeadmin" endpoint.

**Name of the Vulnerable Software and Affected Versions** HelpDEZk version 1.1.1 **Description** The issue allows for obtaining admin privileges through CSRF in the "admin/home#/person/" endpoint. **Recommendations** For HelpDEZk version 1.1.1, update to a version that includes a fix for this issue, as using the `admin/home#/person/` endpoint can lead to admin privilege escalation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HelpDEZk version 1.1.1 **Description** The issue allows for remote execution of arbitrary PHP code through a CSRF vulnerability. It is specifically found in the "admin/home#/logos/" endpoint. **Recommendations** For HelpDEZk version 1.1.1, as a temporary workaround, consider restricting access to the "admin/home#/logos/" endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pixie version 1.0.4 **Description** The issue allows remote authenticated users to upload and execute arbitrary PHP code. This is achieved by sending a POST request to the "admin/index.php?s=publish&x=filemanager" endpoint with a filename that has a double extension, such as a .jpg.php file, and setting the Content-Type to image/jpeg. **Recommendations** For Pixie version 1.0.4, consider restricting access to the admin/index.php file and validating file uploads to prevent execution of arbitrary PHP code. As a temporary workaround, restrict the `filemanager` functionality in the `admin/index.php` endpoint until a patch is available. Avoid using the `x=filemanager` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Pixie version 1.0.4 **Description** The issue allows for an XSS attack through the admin/index.php endpoint with specific settings. The attack is facilitated by the `s` and `x` parameters. **Recommendations** For Pixie version 1.0.4, as a temporary workaround, consider restricting access to the admin/index.php endpoint with the `s=settings` and `x` parameters until a patch is available. Avoid using the `s` and `x` parameters in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Pixie version 1.0.4 **Description** The issue allows for an XSS attack. The attack can be performed through the `admin/index.php` endpoint with specific parameters set, such as `s=publish`, `m=module`, and `x`. **Recommendations** For Pixie version 1.0.4, as a temporary workaround, consider restricting access to the `admin/index.php` endpoint until a patch is available. Avoid using the parameters `s`, `m`, and `x` in this endpoint to minimize the risk of exploitation.