Vvveb

Vvveb versions before 1.0.8.2 contain a hardcoded credentials vulnerability in the docker-compose-apache.yaml configuration, allowing unauthenticated attackers to access the phpMyAdmin container and gain unrestricted read and write access to the Vvveb database, leading to account takeover and data manipulation.

Vvveb before 1.0.8.2 is vulnerable to XML external entity (XXE) injection in the admin import feature, allowing authenticated site administrators to read arbitrary files and modify database records, potentially leading to privilege escalation.

An unrestricted file upload vulnerability in Vvveb versions before 1.0.8.2 allows authenticated users with media upload permissions to achieve remote code execution by uploading a .htaccess file to execute arbitrary PHP code via a .phtml file.

Vvveb versions before 1.0.8.2 are vulnerable to authenticated remote code execution (RCE), enabling low-privilege users to execute arbitrary code by uploading a malicious .htaccess file and subsequently uploading PHP code with a mapped extension, resulting in unauthenticated RCE upon file access.