Xiaozhis

**Name of the Vulnerable Software and Affected Versions** WebsiteBaker version 2.10.0 **Description** The issue allows remote attackers to execute arbitrary PHP code. This can be achieved via the `database username`, `database host`, or `database password` parameter in the install/save.php file. **Recommendations** For WebsiteBaker version 2.10.0, consider restricting access to the install/save.php file until a patch is available. As a temporary workaround, avoid using the `database username`, `database host`, and `database password` parameters in the install/save.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ProjectSend version r754 **Description** The issue allows remote attackers to execute arbitrary PHP code via the `dbprefix` parameter in the install/make-config.php file, related to replacing TABLES PREFIX in the configuration file. **Recommendations** For ProjectSend version r754, consider restricting access to the install/make-config.php file until a patch is available, and avoid using the `dbprefix` parameter in this file to minimize the risk of exploitation.