Jun6L3

**Name of the Vulnerable Software and Affected Versions** DuxCMS version 2.1 **Description** A file upload issue allows attackers to execute arbitrary PHP code. The vulnerability is exploited via the `duxcms/AdminUpload/upload` endpoint, allowing attackers to upload malicious files. **Recommendations** For DuxCMS version 2.1, consider disabling the file upload functionality in the `duxcms/AdminUpload/upload` endpoint until a patch is available. Restrict access to the upload feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DuxCMS version 2.1 **Description** A directory traversal issue allows attackers to delete arbitrary files via the `/admin/AdminBackup/del` API endpoint. This enables attackers to potentially disrupt system functionality or destroy sensitive data. **Recommendations** For DuxCMS version 2.1, as a temporary workaround, consider restricting access to the `/admin/AdminBackup/del` API endpoint until a patch is available. Additionally, avoid using the delete functionality in the AdminBackup module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.