Joker_1

**Name of the Vulnerable Software and Affected Versions** Fantastico De Luxe module versions prior to 2.10.4 r19 **Description** The issue allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) or absolute pathname in the `fantasticopath` parameter. This can be leveraged for remote file inclusion by using a UNC share pathname or an ftp, ftps, or ssh2.sftp URL in certain environments. **Recommendations** For versions prior to 2.10.4 r19, update to version 2.10.4 r19 or later to resolve the issue. As a temporary workaround, consider disabling the cPanel PHP Register Globals feature to minimize the risk of exploitation. Restrict access to the `includes/xml.php` file to prevent unauthorized inclusion and execution of local files. Avoid using the `fantasticopath` parameter with untrusted input until the issue is resolved.