Hadi999

**Name of the Vulnerable Software and Affected Versions** GDidees CMS versions 3.9.1 and lower **Description** The issue is related to an arbitrary file download via the `filename` parameter at the "/ admin/imgdownload.php" API endpoint. This allows unauthorized access to files on the system. **Recommendations** For GDidees CMS versions 3.9.1 and lower, consider restricting access to the "/ admin/imgdownload.php" endpoint until a patch is available. As a temporary workaround, avoid using the `filename` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GDidees CMS version 3.9.1 **Description** An arbitrary file upload vulnerability in the `upload` function allows attackers to execute arbitrary code via a crafted file. **Recommendations** For GDidees CMS version 3.9.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GDidees CMS version 3.9.1 **Description** A source code disclosure issue was found in the backup feature of GDidees CMS, accessible via the "/ admin/backup.php" endpoint. This allows for potential access to sensitive information. **Recommendations** For GDidees CMS version 3.9.1, consider restricting access to the "/ admin/backup.php" endpoint until a patch is available. As a temporary workaround, disabling the backup feature may help minimize the risk of exploitation.