Real

**Name of the Vulnerable Software and Affected Versions** zKup CMS versions 2.0 through 2.3 **Description** The issue allows remote attackers to gain administrator privileges without requiring administrative authentication for the admin/configuration/modifier.php endpoint. This can be achieved by making a direct request to this endpoint, for example, by adding a new administrator. **Recommendations** For zKup CMS versions 2.0 through 2.3, consider restricting access to the admin/configuration/modifier.php endpoint until a proper fix is available. As a temporary workaround, limit the ability to add new administrators to prevent unauthorized access.

Name of the Vulnerable Software and Affected Versions: fuzzylime (cms) versions prior to 3.01b Description: The issue allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in a `files` array element for a `blogs` action. This can be demonstrated by manipulating the `files[0]` parameter. Recommendations: For versions prior to 3.01b, update to version 3.01b or later to resolve the issue. As a temporary workaround, consider restricting access to the `commsrss.php` file to minimize the risk of exploitation. Avoid using the `files` array element in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** PEEL versions 3.x and earlier **Description** The issue allows remote authenticated administrators to upload and execute arbitrary PHP files via a modified content type in an ajout action. This can be achieved by modifying the content type, for example, to `image/gif` or `application/pdf`. **Recommendations** For versions 3.x and earlier, consider restricting access to the `administrer/produits.php` file to prevent arbitrary PHP file uploads until a fix is available. As a temporary workaround, restrict the `ajout` action to authorized users only.

**Name of the Vulnerable Software and Affected Versions** PEEL versions 3.x and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `email` parameter to "membre.php", and the `timestamp` parameter to the "details" action in "achat/historique commandes.php" and the "facture" action in "factures/facture html.php". **Recommendations** For PEEL versions 3.x and earlier, as a temporary workaround, consider restricting access to the `membre.php`, `achat/historique commandes.php`, and `factures/facture html.php` files until a patch is available. Avoid using the `email` and `timestamp` parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PEEL versions 3.x and earlier **Description** The issue allows remote attackers to obtain configuration information by making a direct request to "phpinfo.php", which calls the `phpinfo` function. **Recommendations** For versions 3.x and earlier, consider restricting access to the "phpinfo.php" file to prevent unauthorized disclosure of configuration information. As a temporary workaround, remove or rename the "phpinfo.php" file until a more permanent solution is available.

**Name of the Vulnerable Software and Affected Versions** PEEL versions 3.x and earlier **Description** The issue allows remote attackers to gain administrative access due to default accounts with known passwords. Specifically, it has a default info@peel.fr account with password `admin`, and a default contact@peel.fr account with password `cinema`. **Recommendations** For versions 3.x and earlier, change the default passwords for the info@peel.fr and contact@peel.fr accounts to secure passwords. As a temporary workaround, consider disabling these default accounts until a more permanent solution is available.