Leerinao

**Name of the Vulnerable Software and Affected Versions** FUEL-CMS version 1.4.13 **Description** The issue allows remote attackers to run arbitrary code via post ID to the "/users/delete/2" API endpoint. This is a Cross Site Request Forgery vulnerability. **Recommendations** For FUEL-CMS version 1.4.13, as a temporary workaround, consider restricting access to the "/users/delete/2" API endpoint until a patch is available. Avoid using the post ID parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FUEL-CMS version 1.4.13 **Description** The issue allows remote attackers to run arbitrary code via post ID to the "/permissions/delete/2" API endpoint. This is a Cross Site Request Forgery vulnerability. **Recommendations** For FUEL-CMS version 1.4.13, as a temporary workaround, consider restricting access to the "/permissions/delete/2" API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FUEL CMS version 1.4.7 **Description** An issue was discovered in FUEL CMS, where an attacker can use a XSS payload and bypass a filter via the "/fuelCM/fuel/pages/edit/1?lang=english" API endpoint. **Recommendations** For FUEL CMS version 1.4.7, as a temporary workaround, consider restricting access to the "/fuelCM/fuel/pages/edit/1?lang=english" API endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: FUEL CMS version 1.4.7 Description: An issue was discovered that allows for escalation of privilege to obtain super admin privilege. This is achieved via the `id` and `fuel id` parameters. Recommendations: For FUEL CMS version 1.4.7, as a temporary workaround, consider restricting access to the parameters `id` and `fuel id` until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.