Xrmhtop

**Name of the Vulnerable Software and Affected Versions** Fiyo CMS version 2.0.7 **Description** The issue concerns SQL injection. It can be exploited via the `/system/site.php` API endpoint, specifically through the `link` variable in the `$ REQUEST` array. **Recommendations** For Fiyo CMS version 2.0.7, consider restricting access to the `/system/site.php` endpoint until a patch is available, and avoid using the `link` variable in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Fiyo CMS version 2.0.7 **Description** The issue allows for SQL injection via the `/apps/app user/sys user.php` endpoint, specifically through the `name` or `email` variables in the `$ POST` request. This can lead to privilege escalation from a normal user to an administrator. **Recommendations** For Fiyo CMS version 2.0.7, consider restricting access to the `/apps/app user/sys user.php` endpoint until a fix is available, and avoid using the `name` or `email` variables in the `$ POST` request to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Fiyo CMS version 2.0.7 **Description** The issue allows for arbitrary file read in the dapur/apps/app theme/libs/check file.php file via the `src` or `name` variables in the $ GET request. **Recommendations** For Fiyo CMS version 2.0.7, consider restricting access to the check file.php file or validating and sanitizing the `src` and `name` variables in the $ GET request to prevent arbitrary file read. As a temporary workaround, consider disabling the use of the `src` and `name` variables in the check file.php file until a patch is available.