Weikang Fu

Name of the Vulnerable Software and Affected Versions: PHPVibe version 11.0.46 Description: A problematic issue has been found in the Global Options Page component, specifically in the file functionalities.global.php. The manipulation of the `site-logo-text` argument leads to cross-site scripting. This issue can be exploited remotely. The vendor was contacted about this disclosure but did not respond. Recommendations: For PHPVibe version 11.0.46, as a temporary workaround, consider restricting access to the Global Options Page or disabling the manipulation of the `site-logo-text` argument until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: PHPVibe version 11.0.46 Description: A critical issue was found in the Media Upload Page component, specifically in the /app/uploading/upload-mp3.php file. The manipulation of the `file` argument leads to unrestricted upload. This issue can be exploited remotely. The exploit has been publicly disclosed. Recommendations: For PHPVibe version 11.0.46, as a temporary workaround, consider disabling the file upload functionality in the Media Upload Page until a patch is available. Restrict access to the /app/uploading/upload-mp3.php file to minimize the risk of exploitation. Avoid using the `file` argument in the affected upload functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.