Asai Ken

**Nome do software vulnerável e versões afetadas: GroupSession Free Edition, versões 2.2.0 a 5.0.x GroupSession byCloud, versões 3.0.3 a 5.0.x GroupSession ZION, versões 3.0.3 a 5.0.x Descrição: Uma vulnerabilidade de falsificação de solicitação entre sites (CSRF) permite que um invasor remoto se aproprie da autenticação de administradores por meio de uma URL especialmente criada. Recomendações: Para as versões 2.2.0 a 5.0.x do GroupSession Free Edition, atualize para a versão 5.1.0 ou posterior. Para as versões 3.0.3 a 5.0.x do GroupSession byCloud, atualize para a versão 5.1.0 ou posterior. Para as versões 3.0.3 a 5.0.x do GroupSession ZION, atualize para a versão 5.1.0 ou posterior.

**Nome do software vulnerável e versões afetadas: GroupSession Free Edition, versões 2.2.0 a 5.1.0 GroupSession byCloud, versões 3.0.3 a 5.1.0 GroupSession ZION, versões 3.0.3 a 5.1.0 Descrição: Uma vulnerabilidade de cross-site scripting permite que um invasor remoto injete um script arbitrário enviando uma solicitação especialmente criada para uma URL específica. Recomendações: Para as versões 2.2.0 a 5.1.0 do GroupSession Free Edition, atualize para a versão 5.1.0 ou posterior. Para as versões 3.0.3 a 5.1.0 do GroupSession byCloud, atualize para a versão 5.1.0 ou posterior. Para as versões 3.0.3 a 5.1.0 do GroupSession ZION, atualize para a versão 5.1.0 ou posterior.

**Name of the Vulnerable Software and Affected Versions** Movable Type versions prior to 6.3.1 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML. **Recommendations** For versions prior to 6.3.1, update to version 6.3.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Pixelpost versions 1.7.3 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML. **Recommendations** For Pixelpost versions 1.7.3 and earlier, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Zenphoto versions 1.4.14 and earlier **Description** A local file inclusion issue allows a remote attacker with administrative privileges to execute arbitrary code or obtain sensitive information. **Recommendations** For Zenphoto versions 1.4.14 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Pixelpost versions 1.7.3 and earlier **Description** The issue allows remote code execution via unspecified vectors. **Recommendations** For Pixelpost versions 1.7.3 and earlier, at the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SEO Panel versions prior to 3.11.0 **Description** The issue allows authenticated attackers to execute arbitrary SQL commands. **Recommendations** For versions prior to 3.11.0, update to version 3.11.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SEO Panel versions prior to 3.11.0 **Description** A cross-site scripting issue allows an attacker to inject arbitrary web script or HTML. **Recommendations** For versions prior to 3.11.0, update to version 3.11.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WebCalendar versions 1.2.7 and earlier **Description** A directory traversal issue allows authenticated attackers to read arbitrary files. **Recommendations** For versions 1.2.7 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WebCalendar versions 1.2.7 and earlier **Description** A cross-site scripting issue allows an attacker to inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For versions 1.2.7 and earlier, update to a version later than 1.2.7 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** MaxButtons versions prior to 6.19 MaxButtons Pro versions prior to 6.19 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For MaxButtons versions prior to 6.19, update to version 6.19 or later. For MaxButtons Pro versions prior to 6.19, update to version 6.19 or later.

**Name of the Vulnerable Software and Affected Versions** SOY CMS versions 1.8.1 through 1.8.12 **Description** A directory traversal issue allows authenticated attackers to read arbitrary files by manipulating the `shop id` variable. **Recommendations** For SOY CMS versions 1.8.1 through 1.8.12, consider restricting access to the vulnerable component until a patch is available. As a temporary workaround, avoid using the `shop id` variable in sensitive operations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WP Statistics versions prior to 12.0.1 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML. **Recommendations** For versions prior to 12.0.1, update to a version later than 12.0.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** CubeCart versions prior to 6.1.5 **Description** A directory traversal issue allows an attacker with administrator rights to read arbitrary files via unspecified vectors. **Recommendations** For versions prior to 6.1.5, update to version 6.1.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** CS-Cart versions 4.3.9 and earlier CS-Cart Multi-Vendor versions 4.3.9 and earlier **Description** The issue allows remote authenticated users to execute arbitrary PHP code on the servers. **Recommendations** For CS-Cart versions 4.3.9 and earlier, update to a version later than 4.3.9. For CS-Cart Multi-Vendor versions 4.3.9 and earlier, update to a version later than 4.3.9.

**Name of the Vulnerable Software and Affected Versions** ADODB versions prior to 5.20.6 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML. **Recommendations** For versions prior to 5.20.6, update to version 5.20.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OpenPNE versions 3.4.x through 3.4.21, OpenPNE versions 3.6.x through 3.6.9, OpenPNE versions 3.8.x through 3.8.5 **Description** A cross-site scripting (XSS) issue exists in the management screen, allowing remote attackers to inject arbitrary web script or HTML via vectors involving the `mobile version color scheme`. **Recommendations** For OpenPNE versions 3.4.x through 3.4.21, update to version 3.4.21.1 or later. For OpenPNE versions 3.6.x through 3.6.9, update to version 3.6.9.1 or later. For OpenPNE versions 3.8.x through 3.8.5, update to version 3.8.5.1 or later.