Antonio Cannito

**Name of the Vulnerable Software and Affected Versions** Chadha PHPKB Standard Multi-Language version 9 **Description** The issue allows remote attackers to achieve code execution by uploading a .php file in the admin/js/ directory. This is made possible through the admin/imagepaster/image-upload.php file. **Recommendations** For version 9, restrict access to the admin/imagepaster/image-upload.php file to prevent unauthorized uploads, and consider removing or restricting write access to the admin/js/ directory until a fix is available.

**Name of the Vulnerable Software and Affected Versions** Chadha PHPKB Standard Multi-Language version 9 **Description** The issue allows remote attackers to download files from the server using a dot-dot-slash sequence (../) via the `file` parameter in the "admin/download.php" endpoint. **Recommendations** For version 9, restrict access to the "admin/download.php" endpoint to minimize the risk of exploitation. Avoid using the `file` parameter in this endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Chadha PHPKB Standard Multi-Language version 9 **Description** The issue allows remote attackers to achieve code execution by injecting PHP code into any POST parameter when saving global settings. **Recommendations** For Chadha PHPKB Standard Multi-Language version 9, consider validating and sanitizing all POST parameters in the admin/save-settings.php file to prevent PHP code injection. As a temporary workaround, restrict access to the admin/save-settings.php file until a patch is available.