Pouya Darabi

**Name of the Vulnerable Software and Affected Versions** PHP FormMail Generator (affected versions not specified) **Description** The issue allows a remote unauthenticated user to bypass authentication and access the administrator panel. This can be achieved by navigating directly to the "/admin.php?mod=admin&func=panel" API endpoint. **Recommendations** As a temporary workaround, consider disabling access to the /admin.php API endpoint until a patch is available. Restrict access to the administrator panel to minimize the risk of exploitation. Avoid using the `mod` and `func` parameters in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** PHP FormMail Generator (affected versions not specified) **Description** The issue allows a remote unauthenticated attacker to inject PHP code by exploiting the deserialization of untrusted input in the phpfmg filman download() function. This could also be used for local file inclusion attacks to obtain files from the server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP FormMail Generator (affected versions not specified) **Description** The issue arises from inadequate validation of user input folder directories in the generated PHP form code. This allows a remote unauthenticated attacker to perform a path traversal, enabling access to arbitrary files on the server. It is estimated that any PHP form code generated by the PHP FormMail Generator website prior to 2016-12-06 may be affected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.