Hackxback

**Name of the Vulnerable Software and Affected Versions** PHPJabbers Appointment Scheduler version 2.0 **Description** The issue allows remote attackers to hijack the authentication of administrators for requests. This can be achieved through multiple cross-site request forgery (CSRF) vulnerabilities. Specifically, the vulnerabilities can be exploited via the `i18n[1][name]` parameter in a "pjActionCreate" action to the "pjAdminServices" controller for conducting cross-site scripting (XSS) attacks, or by adding an administrator via a "pjActionCreate" action to the "pjAdminUsers" controller. **Recommendations** For PHPJabbers Appointment Scheduler version 2.0, consider disabling the `pjActionCreate` action in the `pjAdminServices` and `pjAdminUsers` controllers as a temporary workaround until a patch is available. Restrict access to the `i18n[1][name]` parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHPJabbers Appointment Scheduler version 2.0 **Description** A directory traversal issue allows remote attackers to read arbitrary files by providing a .. (dot dot) in the `id` parameter in a 'pjActionDownload' action to the 'pjBackup' controller. **Recommendations** For PHPJabbers Appointment Scheduler version 2.0, consider restricting access to the 'pjBackup' controller to minimize the risk of exploitation. Avoid using the `id` parameter in the 'pjActionDownload' action until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.