Jenaye

**Name of the Vulnerable Software and Affected Versions** Pligg version 2.0.3 **Description** The issue allows remote authenticated users to execute arbitrary commands. This is possible because the template editor can edit any file. For example, an attacker can send a request to `admin/admin editor.php` with parameters like `the file=..%2Findex.php` and `open=Open` to execute arbitrary commands. **Recommendations** For Pligg version 2.0.3, restrict access to the template editor to prevent unauthorized file edits. As a temporary workaround, consider disabling the template editor until a patch is available.

**Name of the Vulnerable Software and Affected Versions** aaPanel versions 6.6.6 and earlier **Description** The issue allows remote authenticated users to execute arbitrary commands via shell metacharacters in a modified "/system?action=ServiceAdmin" request to the setting menu of Software Store. This can be achieved through start, stop, or restart actions. **Recommendations** For versions 6.6.6 and earlier, consider disabling access to the "/system?action=ServiceAdmin" endpoint until a patch is available. Restrict the use of shell metacharacters in requests to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** aaPanel versions 6.6.6 and earlier **Description** The issue allows remote authenticated users to execute arbitrary commands via the Script Content box on the Add Cron Job screen. This can be done by exploiting the vulnerability in the `Script Content` box, which is part of the `Add Cron Job` functionality. **Recommendations** For versions 6.6.6 and earlier, consider disabling the `Add Cron Job` feature or restricting access to the `Script Content` box until a patch is available. As a temporary workaround, restrict the use of the `Script Content` box to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** KumbiaPHP versions 1.1.1 and earlier **Description** The issue allows for XSS via the "public/pages/kumbia" PATH INFO, specifically when KumbiaPHP is in Development mode. **Recommendations** For versions 1.1.1 and earlier, consider disabling Development mode to mitigate the risk of exploitation. Restrict access to the "public/pages/kumbia" PATH INFO to minimize the risk of XSS attacks. Avoid using the `PATH INFO` variable in the affected API endpoint until the issue is resolved.