Sunu11

**Name of the Vulnerable Software and Affected Versions** baserCMS versions prior to 4.1.4 **Description** The issue allows remote attackers to execute arbitrary PHP code. This is achieved via the `admin/theme configs/form` data, specifically through the `ThemeConfig][logo` parameter in the `libBaserModelThemeConfig.php` file. **Recommendations** For versions prior to 4.1.4, update to version 4.1.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `libBaserModelThemeConfig.php` file or disabling the `logo` parameter in the `admin/theme configs/form` data until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Monstra CMS version 3.0.4 **Description** The issue allows remote code execution via an upload file request for a .zip file. This .zip file is automatically extracted and may contain .php files, leading to potential code execution. **Recommendations** For Monstra CMS version 3.0.4, consider disabling the upload functionality for .zip files or restricting the types of files that can be uploaded to prevent remote code execution until a patch is available.