Ally-Petitt

**Name of the Vulnerable Software and Affected Versions** GNU Savane versions 3.13 and earlier **Description** An issue allows a remote attacker to execute arbitrary code and escalate privileges via a crafted file to the "upload.php" component. **Recommendations** For GNU Savane versions 3.13 and earlier, consider disabling the upload functionality in the "upload.php" component until a patch is available. Restrict access to the "upload.php" component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GNU Savane versions 3.12 and earlier **Description** The issue allows a remote attacker to delete arbitrary files via crafted input to the `trackers data delete file` function. This is due to an Insecure Direct Object Reference (IDOR) in the software. **Recommendations** For GNU Savane versions 3.12 and earlier, as a temporary workaround, consider disabling the `trackers data delete file` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GNU Savane versions 3.12 and earlier **Description** A Cross Site Request Forgery issue allows a remote attacker to escalate privileges via the "siteadmin/usergroup.php" endpoint. This can be exploited to gain unauthorized access. **Recommendations** For GNU Savane versions 3.12 and earlier, as a temporary workaround, consider restricting access to the "siteadmin/usergroup.php" endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.