Fidelis Abt

**Name of the Vulnerable Software and Affected Versions** Airleader Master and Easy versions prior to 6.36 **Description** The issue allows remote attackers to execute arbitrary commands via an unrestricted file upload in the Panel Designer dashboard. This can be exploited by logging into the administrator console, which has weak and easily guessable default credentials, and then uploading a JSP file via the dashboard. The `wizard/workspace.jsp` endpoint is specifically vulnerable to this type of attack, allowing the upload of malicious files. **Recommendations** For versions prior to 6.36, update to version 6.36 or later to resolve the issue. As a temporary workaround, consider restricting access to the administrator console and changing the default credentials to stronger, unique passwords. Additionally, restrict the ability to upload files via the Panel Designer dashboard to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Web Application (affected versions not specified) Description: A low privileged remote attacker can insert a SQL injection in the web application due to improper handling of HTTP request input data, which allows the exfiltration of all data. This occurs because the application does not correctly handle input data from HTTP requests. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.