Francisco Marinho

**Name of the Vulnerable Software and Affected Versions** eXtplorer version 2.1.15 **Description** The issue is related to insecure permissions in the eXtplorer file manager, which can be exploited by a remote attacker to execute arbitrary code via the "index.php" component. This vulnerability is associated with insufficient access control. **Recommendations** For version 2.1.15, consider disabling access to the "index.php" component until a patch is available. Restricting permissions for the index.php file may also help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Schlix Web Inc SCHLIX CMS version 2.2.7-2 **Description** The issue allows an attacker to upload arbitrary files and execute arbitrary code via the `tristao` parameter. However, it is noted that this functionality is intentionally allowed for admins to upload new executable PHP code from trusted sources. The vulnerability is disputed by the vendor as it requires admin privileges to upload such code. **Recommendations** For version 2.2.7-2, consider restricting access to the `tristao` parameter to prevent unauthorized file uploads and code execution. As a temporary workaround, restrict the ability to upload new executable PHP code to only trusted sources and ensure that all admins are aware of the potential risks associated with this functionality.