Lowk3V

**Name of the Vulnerable Software and Affected Versions** SunHater KCFinder versions 3.20-test1, 3.20-test2, 3.12, and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `CKEditorFuncNum` parameter in the upload.php file. **Recommendations** For SunHater KCFinder versions 3.20-test1, 3.20-test2, 3.12, and earlier, avoid using the `CKEditorFuncNum` parameter in the upload.php file until a fix is available. As a temporary workaround, consider restricting access to the upload.php file to minimize the risk of exploitation.