Matthew Hogg

**Name of the Vulnerable Software and Affected Versions** LogicalDOC (affected versions not specified) **Description** The application's API, used for document interaction, contains two endpoints with a flaw that allows an authenticated attacker to write a file with controlled content to an arbitrary location on the underlying file system. This can be used to facilitate Remote Code Execution (RCE). Exploitation requires an account with ‘read’ and ‘write’ privileges on at least one existing document within the application. Successful exploitation would allow an attacker to execute commands on the underlying operating system of the web server running LogicalDOC. The vulnerable API endpoints allow for arbitrary file writing. The `file content` is controlled by the attacker. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: The saved search functionality contains a blind SQL injection that can be exploited by authenticated attackers. Using a time-based blind SQLi technique, the attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence or lack thereof entries in certain database tables. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: LogicalDOC (affected versions not specified) Description: The Automation Scripting functionality can be exploited by attackers to run arbitrary system commands on the underlying operating system. An account with administrator privileges or that has been explicitly granted access to use Automation Scripting is needed to carry out the attack. Exploitation of this issue would allow an attacker to run commands of their choosing on the underlying operating system of the web server running LogicalDOC. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: The API used to interact with documents in the application contains a flaw that allows an authenticated attacker to read the contents of files on the underlying operating system. An account with `read` and `download` privileges on at least one existing document in the application is required to exploit the issue. Exploitation of this issue would allow an attacker to read the contents of any file available within the privileges of the system user running the application. Recommendations: At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: The login functionality contains a blind SQL injection that can be exploited by unauthenticated attackers. Using a time-based blind SQLi technique, the attacker can disclose all database contents. Account takeover is a potential outcome depending on the presence or lack thereof entries in certain database tables. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: The issue concerns a blind SQL injection in the document history functionality. This can be exploited by authenticated attackers, potentially leading to account takeover, depending on the database contents. Attackers can use a time-based blind SQLi technique to disclose all database contents. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHPFusion (affected versions not specified) **Description** The issue is related to insufficient sanitization of tainted file names that are directly concatenated with a path and subsequently passed to a `require once` statement. This allows arbitrary files with the `.php` extension, for which the absolute path is known, to be included and executed. There are no known means in PHPFusion through which an attacker can upload and target a `.php` file payload. The vulnerability may allow remote code execution if an attacker can upload a maliciously crafted ".php" file to a known path on a target system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pluck CMS (affected versions not specified) **Description** The issue concerns an authenticated remote code execution (RCE) vulnerability through the "albums" module. This module allows the creation of image collections that can be inserted into web pages. Due to a lack of file extension validation, an attacker can upload a crafted JPEG payload containing an embedded PHP web-shell, which can be accessed directly to achieve RCE on the underlying web server. Administrator credentials are required to exploit this vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.