V3Ged4G

**Name of the Vulnerable Software and Affected Versions** PluXml versions prior to 5.8.23 **Description** A flaw exists in PluXml that could allow for remote code execution. The issue is located in the `FileCookieJar:: destruct` function within the `core/admin/medias.php` file of the Media Management Module. Manipulation of the `File` argument can lead to deserialization. The exploit has been publicly disclosed. **Recommendations** Update to PluXml version 5.8.23 or later.

**Name of the Vulnerable Software and Affected Versions** MaxSite CMS versions prior to 110 **Description** A flaw exists in MaxSite CMS that allows for unrestricted file uploads. This issue is related to the processing of the `file path` and `content` arguments within the file application/maxsite/admin/plugins/editor files/save-file-ajax.php. The attack can be carried out remotely. The exploit for this issue has been published. **Recommendations** Update MaxSite CMS to version 110 or later.

**Name of the Vulnerable Software and Affected Versions** MaxSite CMS versions prior to 110 **Description** A flaw exists in MaxSite CMS that allows for unrestricted file uploads. This issue is related to the manipulation of the `X-Requested-FileName` and `X-Requested-FileUpDir` arguments within the HTTP Header Handler, specifically in the file application/maxsite/admin/plugins/auto post/uploads-require-maxsite.php. Remote exploitation is possible. The exploit is publicly available. **Recommendations** Update MaxSite CMS to version 110 or later.

**Name of the Vulnerable Software and Affected Versions** CmsEasy versions up to 7.7.7 **Description** A critical issue was found in the function `getslide child action` in the library `lib/admin/language admin.php`. The manipulation of the argument `sid` leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. **Recommendations** For versions up to 7.7.7, as a temporary workaround, consider disabling the `getslide child action` function until a patch is available. Restrict access to the `lib/admin/language admin.php` library to minimize the risk of exploitation. Avoid using the argument `sid` in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.