Ameer Pornillos

**Name of the Vulnerable Software and Affected Versions** PHP-Proxy version 5.1.0 **Description** The issue allows remote attackers to read local files if the default "pre-installed version" is used. This occurs because the `aeb067ca0aa9a3193dce3a7264c90187` app key value from the default config.php is in place, and this value can be easily used to calculate the authorization data needed for local file inclusion. **Recommendations** For PHP-Proxy version 5.1.0, consider changing the default `app key` value in the config.php file to prevent unauthorized access. As a temporary workaround, restrict access to sensitive local files until a more permanent solution is implemented.

**Name of the Vulnerable Software and Affected Versions** ClipperCMS version 1.3.3 **Description** The issue concerns the lack of CSRF protection on the kcfinder file upload feature, which is enabled by default. This allows an attacker to perform actions on behalf of an admin or any user with file upload capability, enabling automatic upload of various file types, including html, pdf, xml, and zip. These uploaded files can be accessed publicly under the "/assets/files" directory. **Recommendations** For ClipperCMS version 1.3.3, consider disabling the kcfinder file upload feature until a patch is available to add CSRF protection. Restrict access to the "/assets/files" directory to minimize the risk of exploitation. Avoid using the file upload capability for sensitive files until the issue is resolved.