Maxncuo

**Name of the Vulnerable Software and Affected Versions** bloofoxCMS version 0.5.2.1 **Description** The issue allows remote attackers to execute arbitrary code and escalate privileges via a crafted webshell file to the upload module. This can be achieved by uploading a specifically designed file to the vulnerable module, potentially leading to privilege escalation. **Recommendations** For bloofoxCMS version 0.5.2.1, consider disabling the file upload feature until a patch is available to prevent remote attackers from executing arbitrary code. Restrict access to the upload module to minimize the risk of exploitation. Avoid using the upload feature with untrusted files or sources until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** bloofoxCMS version 0.5.2.1 **Description** The issue allows admins to upload arbitrary .php files to ../media/images/ via the "admin/index.php?mode=tools&page=upload" URI, which is a directory traversal issue. This is achieved by using a "Content-Type: application/octet-stream" header. **Recommendations** For bloofoxCMS version 0.5.2.1, consider restricting access to the admin/index.php?mode=tools&page=upload URI to prevent arbitrary file uploads until a patch is available. As a temporary workaround, consider disabling the upload functionality in the admin panel to minimize the risk of exploitation.