Christasao

**Name of the Vulnerable Software and Affected Versions** Bludit version 3.9.2 **Description** The issue allows for Remote Code Execution (RCE) via the "/admin/ajax/upload-images" API endpoint. This means an attacker could potentially execute malicious code on the server. **Recommendations** For Bludit version 3.9.2, as a temporary workaround, consider disabling the "/admin/ajax/upload-images" endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bludit version 3.9.2 **Description** The issue allows remote code execution via the "bl-kernel/ajax/upload-images.php" endpoint. This is possible because PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname. **Recommendations** For Bludit version 3.9.2, as a temporary workaround, consider restricting access to the "bl-kernel/ajax/upload-images.php" endpoint until a patch is available. Avoid allowing users to upload files with PHP code, especially with .jpg file names, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.