Pxss

**Name of the Vulnerable Software and Affected Versions** Fuel-CMS version 1.4.6 **Description** The issue allows a remote attacker to execute arbitrary code via a crafted zip file to the `assests` parameter of the `upload` function. This enables the attacker to potentially gain unauthorized access and control over the system. **Recommendations** For Fuel-CMS version 1.4.6, consider disabling the `upload` function until a patch is available to prevent exploitation. Restrict access to the `assests` parameter to minimize the risk of arbitrary code execution.

**Name of the Vulnerable Software and Affected Versions** FUEL-CMS version 1.4.6 **Description** A Cross Site Scripting issue allows a remote attacker to execute arbitrary code via the page title, meta description, and meta keywords of the pages function. **Recommendations** For version 1.4.6, consider restricting access to the page title, meta description, and meta keywords editing functionality until a fix is available. As a temporary workaround, validate and sanitize all user input for these fields to prevent code injection.

**Name of the Vulnerable Software and Affected Versions** FUEL-CMS version 1.4.6 **Description** The issue allows a remote attacker to execute arbitrary code via a crafted .php file to the `upload` parameter in the `navigation` function. This enables the attacker to potentially gain control over the system. **Recommendations** For FUEL-CMS version 1.4.6, consider disabling the file upload feature in the navigation function until a patch is available. Restrict access to the upload parameter to minimize the risk of exploitation. Avoid using the `upload` parameter in the navigation function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.