Assassins-White

**Name of the Vulnerable Software and Affected Versions** HFish version 0.5.1 **Description** An issue was discovered where inserting a payload in the password entry field triggers XSS code when the administrator views the information. **Recommendations** For HFish version 0.5.1, consider disabling the password entry field or restricting access to it until a fix is available to prevent XSS code triggering.

**Name of the Vulnerable Software and Affected Versions** WTCMS version 1.0 **Description** An issue in WTCMS allows remote attackers to execute arbitrary PHP code. This can be achieved by accessing the "Setting -> Mailbox configuration -> Registration email template" screen and uploading an image file with a .php filename, while setting the `Content-Type` header to `image/gif`. **Recommendations** For WTCMS version 1.0, as a temporary workaround, consider restricting access to the "Setting -> Mailbox configuration -> Registration email template" screen until a patch is available. Avoid uploading files with executable extensions, such as .php, in the registration email template. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WTCMS version 1.0 **Description** An issue in WTCMS allows remote attackers to cause a denial of service through resource consumption by crafting dimensions for the verification code image. **Recommendations** For WTCMS version 1.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WTCMS version 1.0 **Description** An issue was discovered that allows a CSRF attack through the "index.php?g=admin&m=setting&a=site post" endpoint, specifically targeting the `site post` action within the `setting` module of the admin interface. **Recommendations** For WTCMS version 1.0, consider implementing CSRF protection measures, such as token-based validation, to prevent unauthorized requests to the "index.php?g=admin&m=setting&a=site post" endpoint. As a temporary workaround, restrict access to this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WTCMS version 1.0 **Description** An issue was discovered that allows stored XSS via the third text box, which is used for the website statistics code. **Recommendations** For WTCMS version 1.0, consider disabling the third text box for website statistics code until a patch is available to prevent exploitation.