Mik-

**Name of the Vulnerable Software and Affected Versions** ZPanel version 2.0 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `uname` parameter to "index.php" or the `page` parameter to "zpanel.php". **Recommendations** For ZPanel version 2.0, consider restricting access to the `uname` parameter in "index.php" and the `page` parameter in "zpanel.php" to minimize the risk of exploitation. Avoid using these parameters until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ZPanel versions 2.0 ZPanel versions 2.5 beta 10 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code in ZPanel 2.0 or include local files in ZPanel 2.5 beta 10 and earlier by modifying the `page` parameter. **Recommendations** For ZPanel version 2.0, update to a version that fixes the remote file inclusion issue. For ZPanel versions 2.5 beta 10 and earlier, update to a version that fixes the local file inclusion issue. As a temporary workaround, consider restricting access to the `page` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ZPanel versions 2.0 through 2.5 beta 10 **Description** The issue allows remote attackers to reinstall the software and possibly cause a denial of service. This is due to the software not removing or protecting installation scripts after they have been used. Attackers can exploit this via a direct request to "install.php". **Recommendations** For ZPanel versions 2.0 through 2.5 beta 10, consider removing or protecting the installation scripts after use to prevent unauthorized access. As a temporary workaround, restrict access to the "install.php" endpoint to minimize the risk of exploitation.