Yosri Debaibi

**Name of the Vulnerable Software and Affected Versions** CuppaCMS versions prior to 2019-11-12 **Description** The issue allows an authenticated attacker to upload a malicious file with an image extension. Through a custom request using the rename function provided by the file manager, the attacker can modify the image extension into PHP, resulting in remote arbitrary code execution. **Recommendations** For versions prior to 2019-11-12, update to a version released after 2019-11-12 to resolve the issue. As a temporary workaround, consider restricting access to the file manager's rename function to minimize the risk of exploitation. Avoid using the file manager to upload files with potentially executable extensions until the issue is resolved.