Ggbot

**Name of the Vulnerable Software and Affected Versions** codelyfe Stupid Simple CMS versions up to 1.2.4 **Description** A problematic issue was discovered in the file /file-manager/rename.php, where an unknown functionality is affected. The manipulation of the `oldName` argument leads to path traversal, allowing an attacker to access files outside the intended directory, such as '../filedir'. This issue can be exploited remotely. **Recommendations** For versions up to 1.2.4, consider restricting access to the /file-manager/rename.php file until a fix is available, and avoid using the `oldName` argument in this context to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** codelyfe Stupid Simple CMS versions up to 1.2.4 **Description** A critical issue has been found in the software, affecting some unknown functionality of the file /file-manager/rename.php. The manipulation of the `newName` argument leads to path traversal, allowing an attacker to access files outside the intended directory, such as '../filedir'. This issue can be exploited remotely. **Recommendations** For versions up to 1.2.4, as a temporary workaround, consider restricting access to the /file-manager/rename.php file until a patch is available. Avoid using the `newName` argument in the affected file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** codelyfe Stupid Simple CMS versions up to 1.2.4 **Description** A critical issue has been found in the Deletion Interface component, specifically in the /file-manager/delete.php file. The manipulation of the `file` argument leads to improper authentication. The issue has been publicly disclosed and can be exploited. **Recommendations** For codelyfe Stupid Simple CMS versions up to 1.2.4, consider restricting access to the /file-manager/delete.php file until a patch is available. As a temporary workaround, avoid using the `file` argument in the Deletion Interface to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** codelyfe Stupid Simple CMS versions up to 1.2.3 **Description** A critical issue was found in the HTTP POST Request Handler component, specifically affecting the file /terminal/handle-command.php. The manipulation of the `command` argument with the input `whoami` leads to os command injection. This issue can be exploited remotely. **Recommendations** For versions up to 1.2.3, as a temporary workaround, consider restricting access to the `/terminal/handle-command.php` file to minimize the risk of exploitation. Avoid using the `command` argument in the affected HTTP POST Request Handler until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** codelyfe Stupid Simple CMS versions up to 1.2.4 **Description** A critical issue has been found in the file /file-manager/upload.php, where the manipulation of the `file` argument leads to unrestricted upload. The exploit has been disclosed to the public and may be used. **Recommendations** For codelyfe Stupid Simple CMS versions up to 1.2.4, consider disabling the upload functionality in the /file-manager/upload.php file until a patch is available. Restrict access to the /file-manager/upload.php endpoint to minimize the risk of exploitation. Avoid using the `file` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.