Scorpino

**Name of the Vulnerable Software and Affected Versions** ModuleBased CMS Pre-Alpha **Description** The issue allows remote attackers to execute arbitrary PHP code via the ` SERVER` parameter in several files, including "admin/avatar.php", "libs/archive.class.php", "libs/login.php", "libs/profiles.class.php", and "libs/profile/proccess.php". However, it is noted that the ` SERVER` array and the ` SERVER[DOCUMENT ROOT]` index are controlled by PHP and cannot be manipulated by an attacker. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.