Mohan Kallepalli

**Name of the Vulnerable Software and Affected Versions** eFront CMS versions 3.6.15.4 and earlier **Description** The issue allows remote Professor users to obtain sensitive information via a full pathname in the `other` parameter. This is an absolute path traversal vulnerability. **Recommendations** For versions 3.6.15.4 and earlier, consider restricting access to the `other` parameter to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** eFront CMS versions prior to 3.6.15.5 **Description** The issue allows remote authenticated users to read arbitrary files by providing a full pathname in the `Upload file from url` field within the file manager for professor.php. **Recommendations** For versions prior to 3.6.15.5, update to version 3.6.15.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** eFront CMS versions prior to 3.6.15.5 **Description** The issue allows remote authenticated users to bypass intended file-upload restrictions. This is achieved by appending a crafted parameter to the file URL, potentially allowing unauthorized file uploads. **Recommendations** For versions prior to 3.6.15.5, update to version 3.6.15.5 or later to resolve the issue.