Havysec

**Name of the Vulnerable Software and Affected Versions** OneFileCMS versions prior to 2017-10-08 **Description** The issue allows attackers to delete arbitrary files via the Delete File(s) screen. This can be achieved by manipulating the URI, for example, by using a query string such as '?i=var/www/html/&f=123.php&p=edit&p=deletefile', which targets the 'onefilecms.php' file. **Recommendations** For versions prior to 2017-10-08, as a temporary workaround, consider restricting access to the Delete File(s) screen until a fix is available. Avoid using the delete file functionality in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OneFileCMS versions prior to 2017-10-08 **Description** The issue allows attackers to read arbitrary files via the `i` and `f` parameters. For example, the "/etc/passwd" file can be accessed using the endpoint "?i=etc/&f=passwd&p=raw view". **Recommendations** For versions prior to 2017-10-08, consider restricting access to the `i` and `f` parameters in the affected API endpoint to minimize the risk of exploitation. Avoid using the parameters `i` and `f` in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OneFileCMS versions prior to 2012-04-14 **Description** The issue allows attackers to conduct brute-force attacks. This is possible via the `onefilecms username` and `onefilecms password` fields. **Recommendations** For versions prior to 2012-04-14, consider restricting access to the login functionality to minimize the risk of exploitation. As a temporary workaround, implement rate limiting on the login attempts to slow down brute-force attacks.

**Name of the Vulnerable Software and Affected Versions** OneFileCMS versions prior to 2012-04-14 **Description** The issue allows attackers to execute arbitrary PHP code via a .php filename on the New File screen. **Recommendations** For versions prior to 2012-04-14, consider restricting access to the New File screen to minimize the risk of exploitation until a fix is available.

**Name of the Vulnerable Software and Affected Versions** OneFileCMS versions prior to 2012-04-14 **Description** The issue allows attackers to execute arbitrary PHP code via a .php filename on the Upload screen. **Recommendations** For versions prior to 2012-04-14, consider restricting access to the Upload screen to minimize the risk of exploitation. As a temporary workaround, avoid allowing uploads with .php filenames until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.