Dat Hoang

**Name of the Vulnerable Software and Affected Versions** mojoPortal version 2.7 **Description** The issue allows authenticated attackers to read arbitrary files in the system due to a path traversal vulnerability. This vulnerability can be exploited via the `f` parameter at the "/DesignTools/CssEditor.aspx" API endpoint. **Recommendations** For mojoPortal version 2.7, consider restricting access to the "/DesignTools/CssEditor.aspx" API endpoint to minimize the risk of exploitation. Avoid using the `f` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mojoPortal version 2.7 **Description** The issue allows attackers to execute arbitrary code via a crafted PNG file, exploiting an arbitrary file upload vulnerability. **Recommendations** For mojoPortal version 2.7, consider disabling the file upload feature until a patch is available to prevent exploitation of the arbitrary file upload vulnerability.