Adrien Thierry

**Name of the Vulnerable Software and Affected Versions** Maarch LetterBox versions 2.8 and earlier GEC/GED versions 1.4 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a request to a predictable filename in tmp/. This is due to an unrestricted file upload vulnerability in the file to index.php file. **Recommendations** For Maarch LetterBox versions 2.8 and earlier, update to a version later than 2.8 to resolve the issue. For GEC/GED versions 1.4 and earlier, update to a version later than 1.4 to resolve the issue. As a temporary workaround, consider restricting access to the file to index.php file to minimize the risk of exploitation.