Thawphone

**Name of the Vulnerable Software and Affected Versions** vaahcms version 2.3.1 **Description** A cross-site scripting issue exists in vaahcms version 2.3.1. A remote attacker can potentially execute arbitrary code through the upload method within the `storeAvatar()` function of the UserBase.php file. **Recommendations** Update vaahcms to a newer version that addresses this issue. As a temporary workaround, restrict access to the `storeAvatar()` function in the UserBase.php file.

**Name of the Vulnerable Software and Affected Versions** WonderCMS version 3.5.0 **Description** WonderCMS version 3.5.0 is vulnerable to Server-Side Request Forgery (SSRF) in the custom module installation functionality. An authenticated administrator can supply a malicious URL via the `pluginThemeUrl` POST parameter. The server fetches the provided URL using the `curl exec()` function without sufficient validation, allowing an attacker to force internal or external HTTP requests. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.