Novysodope

**Name of the Vulnerable Software and Affected Versions** Z-BlogPHP version 1.5 **Description** The issue in Z-BlogPHP relates to the mishandling of file preview in the zb system/admin/index.php?act=UploadMng endpoint, potentially leading to content spoofing. However, it's noted that the software maintainer disputes this as a vulnerability. **Recommendations** For Z-BlogPHP version 1.5, as a temporary workaround, consider restricting access to the `UploadMng` act in the `index.php` file until the dispute is resolved or further guidance is provided. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Z-BlogPHP versions prior to 1.5.1 **Description** The issue allows remote attackers to execute arbitrary PHP code by uploading an image with the image/jpeg content type to the "zb system/admin/index.php?act=UploadMng" API endpoint. This requires authentication. The vendor disputes the vulnerability, stating that their current version does not allow dynamic including and thus cannot execute PHP code by uploading an image. **Recommendations** For Z-BlogPHP versions prior to 1.5.1, consider restricting access to the upload functionality in the zb system/admin/index.php?act=UploadMng API endpoint to minimize the risk of exploitation. Additionally, restrict the use of the image/jpeg content type in uploads until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.