Jadachengo

**Name of the Vulnerable Software and Affected Versions** Bludit version 3.8.1 **Description** The issue allows remote attackers to delete arbitrary files. This is achieved through a directory traversal attack. The attack vector is the "/admin/ajax/upload-profile-picture" API endpoint. **Recommendations** For Bludit version 3.8.1, consider restricting access to the "/admin/ajax/upload-profile-picture" API endpoint until a patch is available. As a temporary workaround, avoid using the upload-profile-picture functionality to minimize the risk of exploitation.