Alexander Drabek

**Nome do software vulnerável e versões afetadas** Aptean Product Configurator versão 4.61.0000 **Descrição** Uma falha afeta a página principal de login, especificamente o parâmetro `nameTxt`, permitindo uma injeção de SQL baseada em tempo. Isso pode ser explorado diretamente e remotamente. **Recomendações** Para a versão 4.61.0000, evite usar o parâmetro `nameTxt` na página de login até que o problema seja resolvido. Como solução temporária, considere restringir o acesso à página de login para minimizar o risco de exploração.

**Name of the Vulnerable Software and Affected Versions** 3CX Phone system (web) management console versions 12.5.44178.1002 through 12.5 SP2 **Description** An issue was discovered in the management console, where the Content.MainForm.wgx component is affected by an XML External Entity (XXE) vulnerability via a crafted XML document in POST data. This could potentially be used for Server-Side Request Forgery (SSRF), allowing for the reading of local files, outbound HTTP requests, and outbound DNS queries. **Recommendations** For versions 12.5.44178.1002 through 12.5 SP2, consider disabling the Content.MainForm.wgx component as a temporary workaround until a patch is available. Restrict access to the management console to minimize the risk of exploitation. Avoid using crafted XML documents in POST data to the affected component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** PrestaShop version 1.7.5.2 **Description** The issue concerns a Reflected XSS affecting the `shop country` parameter in the `install/index.php` installation script/component. Exploitation requires a user to follow the initial setup stages, including accepting terms and conditions, before executing a malicious link. **Recommendations** For PrestaShop version 1.7.5.2, as a temporary workaround, consider restricting access to the `install/index.php` script until a patch is available. Avoid using the `shop country` parameter in the installation process until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Premium WP Suite Easy Redirect Manager plugin version 28.07-17 **Description** The issue concerns a crafted GET request that is mishandled during log viewing, leading to XSS. This occurs at the 'templates/admin/redirect-log.php' URI. **Recommendations** For Premium WP Suite Easy Redirect Manager plugin version 28.07-17, consider disabling the log viewing feature at the 'templates/admin/redirect-log.php' URI until a patch is available. Restrict access to this URI to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Synology DiskStation Manager (DSM) versions prior to 6.1.3-15152 **Description** A design flaw in SYNO.API.Encryption allows remote attackers to bypass the encryption protection mechanism via the crafted `version` parameter. **Recommendations** For versions prior to 6.1.3-15152, update to version 6.1.3-15152 or later to resolve the issue. As a temporary workaround, consider restricting access to the SYNO.API.Encryption module to minimize the risk of exploitation.