Binneko

Name of the Vulnerable Software and Affected Versions: Grav CMS versions 1.7.48 Description: A Remote Code Execution (RCE) issue exists in Grav CMS version 1.7.48. An authenticated administrator can upload a malicious plugin through the `/admin/tools/direct-install` API endpoint. Upon upload, the plugin is automatically extracted and loaded, enabling arbitrary PHP code execution and potential reverse shell access. The `/admin/tools/direct-install` endpoint accepts plugin uploads, and the `plugin` variable is involved in the process. Recommendations: Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the `/admin/tools/direct-install` endpoint.

**Name of the Vulnerable Software and Affected Versions** Anchor CMS version 0.12.7 **Description** A stored cross-site scripting (XSS) issue allows attackers to inject malicious JavaScript via the `page description` field in the page creation interface, specifically the "/admin/pages/add" API endpoint. **Recommendations** For Anchor CMS version 0.12.7, consider disabling the page description field in the page creation interface until a patch is available. Restrict access to the "/admin/pages/add" API endpoint to minimize the risk of exploitation. Avoid using the `page description` field in the affected interface until the issue is resolved.