D3Addog

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** Insufficient user input filtering leads to arbitrary file read by non-authenticated attackers, resulting in sensitive information disclosure. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions through 8.5.5 **Description** An issue was discovered that leads to authenticated path traversal, resulting in remote code execution via uploaded PHP code. This issue is related to the `bFilename` parameter. **Recommendations** For versions through 8.5.5, consider restricting access to uploaded PHP code to minimize the risk of exploitation. As a temporary workaround, avoid using the `bFilename` parameter in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 8.5.6 **Description** The issue concerns a CSRF vulnerability in the Calendar component of Concrete CMS. Specifically, the `ccm token` is not verified on the "ccm/calendar/dialogs/event/add/save" endpoint, making it susceptible to cross-site request forgery attacks. **Recommendations** For versions prior to 8.5.6, update to version 8.5.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the "ccm/calendar/dialogs/event/add/save" endpoint until a patch is available.