Kirill Kalimmulin

**Name of the Vulnerable Software and Affected Versions** SkySystem Arfa-CMS versions prior to 5.1.3124 **Description** A cross-site request forgery (CSRF) vulnerability in the admin panel allows remote attackers to add a new administrator, leading to escalation of privileges. This issue enables attackers to perform unauthorized actions, potentially compromising the security of the system. **Recommendations** For SkySystem Arfa-CMS versions prior to 5.1.3124, update to version 5.1.3124 or later to resolve the issue. As a temporary workaround, consider implementing additional security measures to prevent CSRF attacks, such as validating user requests and ensuring proper session management. Restrict access to the admin panel to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SkySystem Arfa-CMS versions prior to 5.1.3124 **Description** A SQL injection issue in the poll component allows remote attackers to execute arbitrary SQL commands via the `psid` parameter. This enables attackers to manipulate database queries, potentially leading to unauthorized data access or modification. **Recommendations** For versions prior to 5.1.3124, update to version 5.1.3124 or later to resolve the issue. As a temporary workaround, consider restricting access to the poll component until a patch is applied. Avoid using the `psid` parameter in affected components until the issue is resolved.