Keke

**Name of the Vulnerable Software and Affected Versions** playeduxyz PlayEdu versions 1.8 and earlier **Description** A problem was found in the processing of the "/api/backend/v1/user/create" file of the User Avatar Handler component. The manipulation of the `Avatar` argument leads to server-side request forgery. The attack can be initiated remotely. The exploit has been publicly disclosed and may be used. The vendor was contacted about this disclosure but did not respond. **Recommendations** For versions 1.8 and earlier, as a temporary workaround, consider disabling the `Avatar` argument in the "/api/backend/v1/user/create" API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Westboy CicadasCMS version 1.0 Description: A critical vulnerability has been found in Westboy CicadasCMS, affecting an unknown part of the file /upload/ of the component JSP Parser. The manipulation of the argument `File` leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Recommendations: As a temporary workaround, consider disabling the file upload functionality in the /upload/ component until a patch is available. Restrict access to the JSP Parser component to minimize the risk of exploitation. Avoid using the `File` argument in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.