Giovanni Buzzin

**Name of the Vulnerable Software and Affected Versions** Web File Explorer version 3.1 **Description** The issue allows remote attackers to create arbitrary files and execute arbitrary code. This is achieved by using the savefile action with a file parameter containing a filename that has an executable extension in the body.asp file. **Recommendations** For Web File Explorer version 3.1, consider restricting access to the body.asp file to prevent remote attackers from creating and executing arbitrary files. As a temporary workaround, restrict the savefile action to prevent the creation of files with executable extensions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Web File Explorer version 3.1 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved by manipulating the `id` parameter in the "body.asp" file. **Recommendations** For Web File Explorer version 3.1, avoid using the `id` parameter in the body.asp file until a fix is available. Consider restricting access to the body.asp file to minimize the risk of exploitation.