Bc0D3

**Name of the Vulnerable Software and Affected Versions** MyQ Server in MyQ X Smart versions prior to 8.2 **Description** The issue allows remote code execution by unprivileged users because administrative session data can be read in the %PROGRAMFILES%MyQPHPSessions directory. The "Select server file" feature, intended for administrators, does not require authorization. An attacker can inject arbitrary OS commands, such as creating new .php files, via the Task Scheduler component. **Recommendations** For versions prior to 8.2, update to version 8.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the Task Scheduler component and the "Select server file" feature to minimize the risk of exploitation. Additionally, ensure that the %PROGRAMFILES%MyQPHPSessions directory is properly secured to prevent unauthorized access to administrative session data.

**Name of the Vulnerable Software and Affected Versions** Ultimate WooCommerce Gift Cards version 3.0.2 **Description** The issue allows for remote execution of arbitrary code due to a file upload vulnerability in the Custom GiftCard Template. This vulnerability is exploited when the `Custom Gift Card Template` function is used, enabling the upload of a custom image. By changing the image extension to PHP, an attacker can execute PHP code on the server. **Recommendations** For Ultimate WooCommerce Gift Cards version 3.0.2, consider disabling the `Custom Gift Card Template` function to prevent exploitation until a patch is available. Restrict access to the custom image upload feature to minimize the risk of arbitrary code execution.