Tree Chiu

**Name of the Vulnerable Software and Affected Versions** SUNNET WMPro versions 5.0 through 5.1 **Description** The issue concerns an OS Command Injection vulnerability. It can be exploited via the "/teach/course/doajaxfileupload.php" API endpoint without requiring authentication. **Recommendations** For versions 5.0 and 5.1, consider restricting access to the "/teach/course/doajaxfileupload.php" API endpoint until a patch is available. As a temporary workaround, disabling the functionality related to this endpoint may help minimize the risk of exploitation.