Badru8612

**Name of the Vulnerable Software and Affected Versions** CuppaCMS version 1.0 **Description** The issue allows an authenticated user to execute remote code, providing control over certain parameters. Specifically, the `/api/index.php` API endpoint is affected, where an attacker can manipulate the `action` and `function` parameters. **Recommendations** For CuppaCMS version 1.0, consider restricting access to the `/api/index.php` API endpoint until a fix is available. As a temporary workaround, limit the ability of authenticated users to control the `action` and `function` parameters in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CuppaCMS version 1.0 **Description** The issue allows an authenticated user to read system files via a crafted POST request. This is achieved by using the `function` parameter value as a Local File Inclusion (LFI) payload in the "cuppa/api/index.php" component. LFI is a type of vulnerability that enables an attacker to include or execute files on a server, potentially leading to sensitive data exposure or code execution. **Recommendations** For CuppaCMS version 1.0, as a temporary workaround, consider restricting access to the "cuppa/api/index.php" component or disabling the use of the `function` parameter until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.