Delf Tonder

**Name of the Vulnerable Software and Affected Versions** Community Builder Enhanced (CBE) (com cbe) component versions 1.4.8 through 1.4.10 for Joomla! **Description** The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the `tabname` parameter in a "userProfile" action to "index.php". This can be leveraged to execute arbitrary code by using the file upload feature. **Recommendations** For versions 1.4.8 through 1.4.10, avoid using the `tabname` parameter in the "userProfile" action to "index.php" until the issue is resolved. As a temporary workaround, consider restricting access to the file upload feature to minimize the risk of exploitation.