T0Guo

**Name of the Vulnerable Software and Affected Versions** Typesetter CMS versions 5.x through 5.1 **Description** The issue allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. This behavior contradicts the security policy, and the vendor is fixing it for version 5.2, despite considering admins trustworthy. **Recommendations** For versions 5.x through 5.1, consider disabling the upload functionality for ZIP archives containing .php files until a patch is available. As a temporary workaround, restrict access to the upload feature to minimize the risk of exploitation. Avoid using the upload feature for ZIP archives until the issue is resolved in version 5.2.