Ufo009Eo

**Name of the Vulnerable Software and Affected Versions** HashBrown CMS versions 1.3.3 and earlier **Description** A remote code execution issue was discovered. The `Server/Entity/Deployer/GitDeployer.js` file has a `Service.AppService.exec` call that mishandles the `URL`, `repository`, `username`, and `password`. **Recommendations** For HashBrown CMS versions 1.3.3 and earlier, consider disabling the `GitDeployer.js` file or restricting its use until a patch is available. Avoid using the `Service.AppService.exec` call with untrusted input for the `URL`, `repository`, `username`, and `password` variables. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** HashBrown CMS versions through 1.3.3 **Description** A privilege escalation issue was found in the postUser function. This allows an editor user to change the password hash of an admin user's account or reconfigure the account. **Recommendations** For HashBrown CMS versions through 1.3.3, consider restricting access to the postUser function until a fix is available. As a temporary workaround, limit the privileges of editor users to prevent them from modifying admin accounts.