Damaidec

**Name of the Vulnerable Software and Affected Versions** facileManager versions 4.5.0 and earlier **Description** The issue is related to insufficient input validation, which leads to cross-site scripting (XSS) in almost all input fields of the facileManager web application. **Recommendations** For versions 4.5.0 and earlier, consider implementing proper input validation to prevent XSS attacks. As a temporary workaround, restrict user input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** facileManager versions 4.5.0 and earlier **Description** The issue concerns a modular suite of web apps built with the sysadmin in mind. In the affected versions, the `$ REQUEST` global array was unsafely called inside an `extract()` function in `admin-logs.php`. Although the PHP file `fm-init.php` prevents arbitrary manipulation of `$ SESSION` via the GET/POST parameters, it does not prevent manipulation of other sensitive variables such as `$search sql`. An authenticated user with privileges to view site logs can manipulate the `$search sql` variable by appending a GET parameter `search sql` in the URL. This renders the checks and SQL injection prevention attempts unusable. **Recommendations** For versions 4.5.0 and earlier, consider disabling the `extract()` function in `admin-logs.php` or restricting access to the `$search sql` variable until a patch is available. As a temporary workaround, avoid using the `search sql` parameter in the affected URL until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** facileManager versions 4.5.0 and earlier **Description** The issue allows non-admin users to arbitrarily set their permissions and grant their non-admin accounts with super user privileges when updating their profile. This is done through a POST request containing user information sent to the endpoint "server/fm-modules/facileManager/ajax/processPost.php". **Recommendations** For versions 4.5.0 and earlier, as a temporary workaround, consider restricting access to the "server/fm-modules/facileManager/ajax/processPost.php" endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.