Sebastian Nerz

**Name of the Vulnerable Software and Affected Versions** FancyFon FAMOC versions prior to 3.17.4 **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `device ID` REST parameter in the `/ajax.php` API endpoint, and also allows remote authenticated users to execute arbitrary SQL commands via the `order` parameter in the `index.php` endpoint. **Recommendations** For versions prior to 3.17.4, update to version 3.17.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/ajax.php` and `index.php` endpoints to minimize the risk of exploitation. Avoid using the `device ID` and `order` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions 6.0.0 through 6.0.8 TYPO3 versions 6.1.0 through 6.1.3 **Description** The issue concerns the File Abstraction Layer (FAL) in TYPO3, which fails to properly check permissions. This allows remote authenticated users to create or read arbitrary files by crafting a specific URL. **Recommendations** For TYPO3 versions 6.0.0 through 6.0.8, update to version 6.0.9 or later. For TYPO3 versions 6.1.0 through 6.1.3, update to version 6.1.4 or later.