Amine Taouirsa

**Name of the Vulnerable Software and Affected Versions** Appnitro MachForm versions prior to 4.2.3 **Description** An issue was discovered that leads to a path traversal vulnerability. The module responsible for serving stored files retrieves the path from the database. By modifying the file name in the ap form table, an attacker can exploit this via the "download.php" API endpoint, specifically the `q` parameter. **Recommendations** For versions prior to 4.2.3, update to version 4.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the download.php API endpoint to minimize the risk of exploitation. Avoid using the `q` parameter in the download.php endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Appnitro MachForm versions prior to 4.2.3 **Description** An issue was discovered in Appnitro MachForm. There is a SQL injection vulnerability via the `q` parameter in the "download.php" endpoint. **Recommendations** For versions prior to 4.2.3, update to version 4.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "download.php" endpoint to minimize the risk of exploitation. Avoid using the `q` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Appnitro MachForm versions prior to 4.2.3 **Description** An issue in Appnitro MachForm allows for SQL Injection through `ap form elements` when the form filter is set to a whitelist, potentially bypassing dangerous extensions. **Recommendations** For versions prior to 4.2.3, update to version 4.2.3 or later to resolve the issue. As a temporary workaround, consider setting the form filter to a blacklist to minimize the risk of exploitation. Restrict access to the `ap form elements` SQL elements to minimize the risk of SQL Injection until the issue is resolved.