Dvnrcy

**Name of the Vulnerable Software and Affected Versions** Faveo version 1.9.3 **Description** The issue allows for CSRF, potentially resulting in obtaining admin privileges. The affected endpoint is "public/rolechangeadmin". **Recommendations** For Faveo version 1.9.3, update to a version that includes a fix for this issue to prevent CSRF attacks. As a temporary workaround, consider implementing CSRF protection measures to restrict access to the "public/rolechangeadmin" endpoint.

**Name of the Vulnerable Software and Affected Versions** HelpDEZk version 1.1.1 **Description** The issue allows for obtaining admin privileges through CSRF in the "admin/home#/person/" endpoint. **Recommendations** For HelpDEZk version 1.1.1, update to a version that includes a fix for this issue, as using the `admin/home#/person/` endpoint can lead to admin privilege escalation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HelpDEZk version 1.1.1 **Description** The issue allows for remote execution of arbitrary PHP code through a CSRF vulnerability. It is specifically found in the "admin/home#/logos/" endpoint. **Recommendations** For HelpDEZk version 1.1.1, as a temporary workaround, consider restricting access to the "admin/home#/logos/" endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pixie version 1.0.4 **Description** The issue allows remote authenticated users to upload and execute arbitrary PHP code. This is achieved by sending a POST request to the "admin/index.php?s=publish&x=filemanager" endpoint with a filename that has a double extension, such as a .jpg.php file, and setting the Content-Type to image/jpeg. **Recommendations** For Pixie version 1.0.4, consider restricting access to the admin/index.php file and validating file uploads to prevent execution of arbitrary PHP code. As a temporary workaround, restrict the `filemanager` functionality in the `admin/index.php` endpoint until a patch is available. Avoid using the `x=filemanager` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS version 4.2.16 **Description** The issue concerns a CSRF problem. It affects the "admin/settings/update/" page, specifically with the `value` parameter. This allows an attacker to change the Colophon. **Recommendations** For BigTree CMS version 4.2.16, consider restricting access to the "admin/settings/update/" page as a temporary workaround until a patch is available. Avoid using the `value` parameter in this page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS version 4.2.16 **Description** A CSRF issue exists, allowing the Navigation Social to be changed by manipulating the `value[#][*]` parameter in the "admin/settings/update/" page. **Recommendations** For BigTree CMS version 4.2.16, as a temporary workaround, consider restricting access to the "admin/settings/update/" page until a patch is available. Avoid using the `value[#][*]` parameter in this page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS versions 4.1.18 through 4.2.16 **Description** The issue concerns a CSRF problem. It affects the "admin/ajax/users/delete/" page, specifically with the `id` parameter. This allows an unauthorized user deletion. **Recommendations** For BigTree CMS versions 4.1.18 through 4.2.16, avoid using the `id` parameter in the "admin/ajax/users/delete/" page until the issue is resolved. As a temporary workaround, consider restricting access to the "admin/ajax/users/delete/" page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS version 4.1.18 **Description** The issue concerns a CSRF problem. It affects the "admin/settings/update/" page, specifically with the `colophon` parameter. This allows the Colophon to be changed. **Recommendations** For BigTree CMS version 4.1.18, consider restricting access to the "admin/settings/update/" page to minimize the risk of exploitation. As a temporary workaround, avoid using the `colophon` parameter in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BigTree CMS version 4.1.18 **Description** The issue concerns a CSRF problem. It affects the "admin/settings/update/" page, specifically with the `nav-social` parameter. This allows an attacker to change the Navigation Social settings. **Recommendations** For BigTree CMS version 4.1.18, consider restricting access to the "admin/settings/update/" page and the `nav-social` parameter to minimize the risk of exploitation. As a temporary workaround, avoid using the `nav-social` parameter in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Fiyo CMS version 2.0.6.1 **Description** The issue allows remote authenticated users to gain privileges by modifying the `level` parameter in the `/dapur/` endpoint with an `app=user&act=edit` action. **Recommendations** For Fiyo CMS version 2.0.6.1, consider restricting access to the `/dapur/` endpoint with `app=user&act=edit` action until a patch is available. As a temporary workaround, avoid using the modified `level` parameter in this endpoint to minimize the risk of exploitation.