Bunneyops

**Name of the Vulnerable Software and Affected Versions** FUEL CMS version 1.5.0 **Description** The issue is related to a cross-site request forgery (CSRF) vulnerability. This means an attacker could potentially trick a user into performing unintended actions on the web application. **Recommendations** For FUEL CMS version 1.5.0, consider implementing CSRF token validation to prevent unauthorized requests. As a temporary workaround, restrict access to the login.php file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FUEL CMS version 1.5.0 **Description** The issue allows SQL Injection via the parameter `col` in the "/fuel/index.php/fuel/pages/items" API endpoint. This enables an attacker to inject malicious SQL code, potentially leading to unauthorized data access or modification. **Recommendations** For FUEL CMS version 1.5.0, consider restricting access to the "/fuel/index.php/fuel/pages/items" API endpoint until a patch is available. As a temporary workaround, avoid using the parameter `col` in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Fuel CMS version 1.5.0 **Description** The issue is related to a brute force vulnerability. It is located in the fuel/modules/fuel/controllers/Login.php file. **Recommendations** For Fuel CMS version 1.5.0, consider temporarily disabling the login functionality in the Login.php file until a patch is available. Restrict access to the Login.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FUEL CMS version 1.5.0 **Description** The issue allows SQL Injection via the parameter `col` in the "/fuel/index.php/fuel/logs/items" API endpoint. **Recommendations** For FUEL CMS version 1.5.0, avoid using the parameter `col` in the "/fuel/index.php/fuel/logs/items" API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the "/fuel/index.php/fuel/logs/items" API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FUEL CMS versions 1.5.0 **Description** A host header attack issue exists due to the lack of special element neutralization in fuel/modules/fuel/config/fuel constants.php and fuel/modules/fuel/libraries/Asset.php. This can allow a remote attacker to impact the confidentiality, integrity, and availability of protected information. An attacker can use a man-in-the-middle attack, such as phishing. **Recommendations** For FUEL CMS version 1.5.0, consider disabling access to the `fuel/modules/fuel/config/fuel constants.php` and `fuel/modules/fuel/libraries/Asset.php` files until a patch is available. Restrict access to these modules to minimize the risk of exploitation. Avoid using the `fuel/modules/fuel/config/fuel constants.php` and `fuel/modules/fuel/libraries/Asset.php` files in sensitive operations until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: MaxSite CMS versions prior to V106 Description: A reflected cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script to a page via the "product/page/*" API endpoint. This enables attackers to execute malicious scripts on the victim's browser, potentially leading to unauthorized actions or data theft. Recommendations: For MaxSite CMS versions prior to V106, update to version V106 or later to resolve the issue. As a temporary workaround, consider restricting access to the "product/page/*" API endpoint to minimize the risk of exploitation.