41-Trk

**Name of the Vulnerable Software and Affected Versions** PMB version 5.6 **Description** An issue in the administration download script allows authenticated attackers to execute arbitrary SQL commands. This is achieved by sending crafted requests to the '/admin/sauvegarde/download.php' endpoint using manipulated values in the `logid` parameter to interact with the database. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PMB version 5.6 **Description** A local file disclosure issue exists in the 'getgif.php' endpoint. By manipulating the `chemin` parameter, attackers can exploit unsanitized file path input to read arbitrary system files, such as /etc/passwd. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.