Windak

**Name of the Vulnerable Software and Affected Versions** PHPGEDVIEW version 2.61 **Description** The issue allows remote attackers to reinstall the software and change the administrator password via a direct HTTP request to "editconfig.php". **Recommendations** For PHPGEDVIEW version 2.61, consider restricting access to the "editconfig.php" endpoint until a patch is available. As a temporary workaround, limit the ability to change the administrator password and reinstall the software to authorized personnel only.

**Name of the Vulnerable Software and Affected Versions** PHPGEDVIEW version 2.61 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary HTML and web script. This is achieved via the `firstname` parameter in the "search.php" file. **Recommendations** For PHPGEDVIEW version 2.61, avoid using the `firstname` parameter in the search.php file until a fix is available. As a temporary workaround, consider validating and sanitizing all user input to prevent malicious code injection.

**Name of the Vulnerable Software and Affected Versions** PHPGEDVIEW version 2.61 **Description** The issue allows remote attackers to execute arbitrary PHP code by modifying the `PGV BASE DIRECTORY` parameter to reference a URL on a remote web server that contains the code. This is possible due to a remote file inclusion vulnerability in files such as functions.php, authentication index.php, and config gedcom.php. **Recommendations** For PHPGEDVIEW version 2.61, consider restricting access to the `PGV BASE DIRECTORY` parameter to prevent modification and minimize the risk of exploitation. Additionally, as a temporary workaround, consider disabling the execution of remote PHP code in the affected files until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.