Dav00D_Cracker

**Name of the Vulnerable Software and Affected Versions** OpenBASE Alpha version 0.6 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `root prefix` parameter to several PHP files, including "index.php", "email subscribe.php", "download.php", and "development.php". **Recommendations** For OpenBASE Alpha version 0.6, consider restricting access to the `root prefix` parameter in the affected PHP files until a patch is available. As a temporary workaround, avoid using the `root prefix` parameter in the "/index.php", "/email subscribe.php", "/download.php", and "/development.php" API endpoints.

**Name of the Vulnerable Software and Affected Versions** FirmWorX version 0.1.2 **Description** The issue allows remote attackers to execute arbitrary PHP code. This can be achieved via a URL in the `bank data[root]` parameter to `modules/bank/includes/design/main.inc.php`, or the `fm data[root]` parameter to `includes/config/master.inc.php` or `includes/functions/master.inc.php`. **Recommendations** For FirmWorX version 0.1.2, consider disabling access to the `modules/bank/includes/design/main.inc.php`, `includes/config/master.inc.php`, and `includes/functions/master.inc.php` files until a patch is available. Avoid using the `bank data[root]` and `fm data[root]` parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.