David Bimmel

**Name of the Vulnerable Software and Affected Versions** PDW File Browser versions 1.3 and earlier **Description** PDW File Browser versions 1.3 and earlier are susceptible to stored and reflected cross-site scripting issues. Authenticated attackers can inject malicious scripts through file rename and path parameters. Attackers can create malicious URLs or rename files containing XSS payloads to execute arbitrary JavaScript in the browsers of users accessing the file browser. The vulnerable parameters include file rename and path parameters. **Recommendations** Versions prior to 1.3 are vulnerable. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PDW File Browser version 1.3 **Description** An issue allows authenticated users to perform remote code execution by uploading and renaming webshell files to arbitrary locations on the web server. This is achieved by uploading a .txt webshell, renaming it to .php, and moving it to accessible directories using double-encoded path traversal, which is a technique used to bypass security filters by encoding path characters multiple times to access restricted directories. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.