Kerlingcode

**Name of the Vulnerable Software and Affected Versions** BearAdmin version 0.5 **Description** An issue allows remote attackers to download arbitrary files via directory traversal sequences in the `/admin/databack/download.html` endpoint, potentially exposing sensitive information such as MySQL credentials in the configuration file. **Recommendations** For BearAdmin version 0.5, restrict access to the `/admin/databack/download.html` endpoint to minimize the risk of exploitation. Consider implementing input validation and sanitization for the `name` parameter to prevent directory traversal attacks.

**Name of the Vulnerable Software and Affected Versions** BearAdmin version 0.5 **Description** An issue was discovered in BearAdmin where there is a SQL injection vulnerability due to the improper construction of a MySQL query in the `admincontrollerAdminLog.php` file. This occurs when the `user id` parameter is used in the `admin/admin log/index.html` endpoint. **Recommendations** For BearAdmin version 0.5, avoid using the `user id` parameter in the `admin/admin log/index.html` endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the `admincontrollerAdminLog.php` file to minimize the risk of exploitation.