Bkfish

**Name of the Vulnerable Software and Affected Versions** CuppaCMS version 1.0 **Description** The issue is related to a remote code execution (RCE) vulnerability. It is exploited via the `saveConfigData` function in the `/classes/ajax/Functions.php` file. **Recommendations** For CuppaCMS version 1.0, as a temporary workaround, consider disabling the `saveConfigData` function until a patch is available. Restrict access to the `/classes/ajax/Functions.php` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Atom CMS version 2.0 **Description** A reflected cross-site scripting (XSS) issue was found in Atom CMS. The issue is related to the `A` parameter in the "/widgets/debug.php" API endpoint. This allows for potential XSS attacks. **Recommendations** For Atom CMS version 2.0, consider restricting access to the "/widgets/debug.php" endpoint until a fix is available. As a temporary workaround, avoid using the `A` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Online Banking System version 1.0 **Description** The Online Banking System contains a SQL injection issue via the staff login.php file. This allows for potential exploitation. **Recommendations** For Online Banking System version 1.0, consider restricting access to the staff login.php file until a patch is available. As a temporary workaround, avoid using user-inputted data in SQL queries to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CuppaCMS version 1.0 **Description** The issue allows attackers to upload arbitrary files and execute arbitrary code via a crafted PHP file. This is possible due to a flaw in the /jquery file upload/server/php/index.php component. **Recommendations** For CuppaCMS version 1.0, consider disabling the /jquery file upload/server/php/index.php component until a patch is available to prevent arbitrary file uploads and code execution. Restrict access to this component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CuppaCMS version 1.0 **Description** The issue allows for an arbitrary file read via the `copy` function. **Recommendations** For CuppaCMS version 1.0, as a temporary workaround, consider disabling the `copy` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** CuppaCMS version 1.0 **Description** The issue is related to a local file inclusion via the `url` parameter in the `/alerts/alertLightbox.php` endpoint. This allows for potential unauthorized access to local files. **Recommendations** For CuppaCMS version 1.0, consider restricting access to the `/alerts/alertLightbox.php` endpoint until a fix is available. As a temporary workaround, avoid using the `url` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CuppaCMS version 1.0 **Description** The issue is related to a local file inclusion via the `url` parameter in the `/alerts/alertConfigField.php` endpoint. This allows for potential unauthorized access to local files. **Recommendations** For CuppaCMS version 1.0, consider restricting access to the `/alerts/alertConfigField.php` endpoint until a patch is available. As a temporary workaround, avoid using the `url` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Atom CMS version 2.0 **Description** A remote code execution (RCE) issue was discovered in Atom CMS via the /admin/uploads.php endpoint. This allows for potential code execution on the server. **Recommendations** For Atom CMS version 2.0, as a temporary workaround, consider disabling access to the /admin/uploads.php endpoint until a patch is available. Restricting file uploads in the admin panel can also help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Atom CMS version 2.0 **Description** A SQL injection issue was discovered in Atom CMS via the `id` parameter in the "/admin/ajax/avatar.php" API endpoint. This allows for potential exploitation. **Recommendations** For Atom CMS version 2.0, as a temporary workaround, consider restricting access to the "/admin/ajax/avatar.php" API endpoint until a patch is available. Avoid using the `id` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Taocms version 3.0.2 **Description** The issue allows for an arbitrary file read via the `path` parameter. This could potentially lead to unauthorized access to sensitive information. **Recommendations** For Taocms version 3.0.2, consider restricting access to the `path` parameter to minimize the risk of exploitation. Avoid using the `path` parameter in sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Taocms version 3.0.2 **Description** The issue concerns an arbitrary file read vulnerability that can be exploited via the `path` parameter. Additionally, there is a SQL injection vulnerability via the `taocmsincludeModelArticle.php` file. **Recommendations** For Taocms version 3.0.2, consider restricting access to the `path` parameter to prevent arbitrary file read exploitation. As a temporary workaround, restrict access to the `taocmsincludeModelArticle.php` file to minimize the risk of SQL injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Navigate CMS version 2.9.4 **Description** A reflected cross-site scripting (XSS) issue in `themes.php` allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. **Recommendations** For Navigate CMS version 2.9.4, update to a version that addresses this issue, as the current version allows execution of arbitrary web scripts or HTML by authenticated attackers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NavigateCMS version 2.9 **Description** An arbitrary file read issue exists via the "/navigate/navigate download.php" `id` parameter. This allows for unauthorized access to files. **Recommendations** For NavigateCMS version 2.9, as a temporary workaround, consider restricting access to the "/navigate/navigate download.php" endpoint until a patch is available. Avoid using the `id` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.