Cengiz Han Sahin

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.6.1 **Description** A cross-site scripting (XSS) issue exists due to a vulnerability in the media handle upload function. This could allow remote attackers to inject arbitrary web script or HTML by tricking an administrator into uploading an image file with a crafted filename. **Recommendations** For versions prior to 4.6.1, update to version 4.6.1 or later to resolve the issue. As a temporary workaround, consider restricting image uploads to trusted administrators only until the update is applied.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 4.6.1 **Description** A directory traversal issue exists in the File Upload Upgrader class, allowing remote authenticated users to access arbitrary files by crafting a `urlholder` parameter. **Recommendations** For versions prior to 4.6.1, update to version 4.6.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** EMC ViPR SRM versions prior to 3.7 **Description** The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities found in the administrative pages. These vulnerabilities can be exploited by remote attackers to hijack the authentication of administrators. **Recommendations** For versions prior to 3.7, update to version 3.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Synology Video Station versions prior to 1.5-0763 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter to the "watchstatus.cgi" endpoint. **Recommendations** For versions prior to 1.5-0763, update to version 1.5-0763 or later to resolve the issue. As a temporary workaround, consider restricting access to the "watchstatus.cgi" endpoint to minimize the risk of exploitation. Avoid using the `id` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Synology Download Station versions prior to 3.5-2962 **Description** A cross-site scripting (XSS) issue exists in the "Create download task via file upload" feature, allowing remote attackers to inject arbitrary web script or HTML via the `name` element in the `Info` dictionary in a torrent file. **Recommendations** For versions prior to 3.5-2962, update to version 3.5-2962 or later to resolve the issue. As a temporary workaround, consider restricting the use of the "Create download task via file upload" feature until a patch is applied. Avoid using the `name` element in the `Info` dictionary in torrent files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Synology Video Station versions prior to 1.5-0757 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter to the "audiotrack.cgi" endpoint. **Recommendations** For versions prior to 1.5-0757, update to version 1.5-0757 or later to resolve the issue. As a temporary workaround, consider restricting access to the "audiotrack.cgi" endpoint to minimize the risk of exploitation. Avoid using the `id` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Synology Download Station versions prior to 3.5-2967 **Description** A cross-site scripting (XSS) issue exists in the "Create download task via URL" feature, allowing remote attackers to inject arbitrary web script or HTML via the `urls` parameter in an `add url task` action to "dlm/downloadman.cgi". **Recommendations** For versions prior to 3.5-2967, update to version 3.5-2967 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Create download task via URL" feature until the update is applied. Avoid using the `urls` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Synology Video Station versions prior to 1.5-0763 **Description** The issue allows remote attackers to execute arbitrary shell commands. This is achieved by injecting shell metacharacters into the `subtitle codepage` parameter of the "subtitle.cgi" endpoint. **Recommendations** For versions prior to 1.5-0763, update to version 1.5-0763 or later to resolve the issue. As a temporary workaround, consider restricting access to the subtitle.cgi endpoint to minimize the risk of exploitation. Avoid using the `subtitle codepage` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Synology Photo Station versions prior to 6.3-2945 **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `success` parameter to "login.php" or crafted URL parameters to "index.php", such as the `t` parameter to "photo/". **Recommendations** For versions prior to 6.3-2945, update to version 6.3-2945 or later to resolve the issue. As a temporary workaround, consider restricting access to the "login.php" and "index.php" files to minimize the risk of exploitation. Avoid using the `success` parameter in the "login.php" file and the `t` parameter in the "photo/" endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Synology DiskStation Manager (DSM) versions prior to 5.2-5565 Update 1 **Description** The issue is related to a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML. This is achieved via the `compound` parameter to the "entry.cgi" endpoint. **Recommendations** For versions prior to 5.2-5565 Update 1, update to 5.2-5565 Update 1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "entry.cgi" endpoint until a patch is available. Avoid using the `compound` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Citrix NetScaler versions prior to 10.5 build 52.3nc **Description** A cross-site request forgery (CSRF) issue exists, allowing remote attackers to hijack administrator authentication for requests that execute arbitrary commands as nsroot. This is achieved via shell metacharacters in the `file name` JSON member in `params/xen hotfix/0` to "nitro/v1/config/xen hotfix" API endpoint. **Recommendations** For versions prior to 10.5 build 52.3nc, update to build 52.3nc or later to resolve the issue. As a temporary workaround, consider restricting access to the "nitro/v1/config/xen hotfix" API endpoint to minimize the risk of exploitation. Avoid using the `file name` JSON member in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Citrix NetScaler versions prior to 10.5 build 52.3nc **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks. This is achieved by exploiting the Nitro API, which returns an error message with an incorrect Content-Type, via the `file name` JSON member in the "params/xen hotfix/0" to "nitro/v1/config/xen hotfix" API endpoint. **Recommendations** For versions prior to 10.5 build 52.3nc, update to build 52.3nc or later to resolve the issue. As a temporary workaround, consider restricting access to the Nitro API to minimize the risk of exploitation. Avoid using the `file name` JSON member in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Citrix NetScaler versions prior to 10.5 build 52.3nc **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `searchQuery` parameter in the "help/rt/large search.html" page. **Recommendations** For versions prior to 10.5 build 52.3nc, update to version 10.5 build 52.3nc or later to resolve the issue. As a temporary workaround, consider restricting access to the "help/rt/large search.html" page to minimize the risk of exploitation. Avoid using the `searchQuery` parameter in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Websense Triton version 7.8.3 Websense V-Series version 7.7 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via a crafted email or HTTP request, triggering a DLP Policy. This occurs due to multiple cross-site scripting (XSS) vulnerabilities in the data loss prevention (DLP) incident Forensics Preview. **Recommendations** For Websense Triton version 7.8.3, update to a version that includes a fix for the XSS vulnerabilities in the DLP incident Forensics Preview. For Websense V-Series version 7.7, update to a version that includes a fix for the XSS vulnerabilities in the DLP incident Forensics Preview.

**Name of the Vulnerable Software and Affected Versions** Citrix Command Center versions prior to 5.1 Build 35.4 Citrix Command Center versions prior to 5.2 Build 42.7 **Description** The issue is related to improper access restriction to the Advent Java Management Extensions (JMX) Servlet. This allows remote attackers to execute arbitrary code via unspecified vectors to `servlets/Jmx dynamic`. **Recommendations** For versions prior to 5.1 Build 35.4, update to Build 35.4 or later to resolve the issue. For versions prior to 5.2 Build 42.7, update to Build 42.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Citrix Command Center versions prior to 5.1 Build 35.4 Citrix Command Center versions prior to 5.2 Build 42.7 **Description** The issue allows remote attackers to obtain credentials by making a direct request to the `conf/securitydbData.xml` file. **Recommendations** For versions prior to 5.1 Build 35.4, update to Build 35.4 or later. For versions prior to 5.2 Build 42.7, update to Build 42.7 or later.

**Name of the Vulnerable Software and Affected Versions** Websense TRITON versions 7.8.3 through 7.8.3 before Hotfix 02 Websense V-Series appliances versions 7.8.3 through 7.8.3 before Hotfix 02 **Description** The issue concerns the network diagnostics tool CommandLineServlet in the Appliance Manager command line utility. It allows remote authenticated users to execute arbitrary commands via shell metacharacters in the `second` parameter of a command. This can be demonstrated by the Destination parameter in the ping command, using `second` parameter with shell metacharacters. **Recommendations** For Websense TRITON version 7.8.3, update to version 7.8.4 Hotfix 02 to resolve the issue. For Websense V-Series appliances version 7.8.3, update to version 7.8.4 Hotfix 02 to resolve the issue. As a temporary workaround, consider restricting access to the CommandLineServlet to minimize the risk of exploitation. Avoid using the `second` parameter in commands until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Websense TRITON AP-WEB versions prior to 8.0.0 **Description** The issue allows remote attackers to obtain sensitive information by making a direct request to certain files. This includes accessing Web Security incident reports or the Explorer configuration file, `websense.ini`. **Recommendations** For versions prior to 8.0.0, update to version 8.0.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Websense TRITON AP-WEB versions prior to 8.0.0 Websense Web Security and Filter versions 7.8.3 through 7.8.3 before Hotfix 02 Websense Web Security Gateway versions 7.8.3 through 7.8.3 before Hotfix 02 Websense Web Security Gateway Anywhere versions 7.8.3 through 7.8.3 before Hotfix 02 and 7.8.4 before Hotfix 01 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `ReportName` (Job Name) parameter to the "cgi-bin/WsCgiExplorerSchedule.exe" in the Job Queue or the `col` parameter to the Names or Anonymous summary report page. **Recommendations** For Websense TRITON AP-WEB versions prior to 8.0.0, update to version 8.0.0 or later. For Websense Web Security and Filter, Web Security Gateway, and Web Security Gateway Anywhere versions 7.8.3 before Hotfix 02, apply Hotfix 02. For Websense Web Security Gateway Anywhere version 7.8.4 before Hotfix 01, apply Hotfix 01. As a temporary workaround, consider restricting access to the vulnerable "cgi-bin/WsCgiExplorerSchedule.exe" and "explorer wse/explorer anon.exe" pages until a patch is available. Avoid using the `ReportName` and `col` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Websense TRITON AP-WEB versions prior to 8.0.0 Websense V-Series appliances version 7.7 **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `ws-userip` in the `ws-encdata` parameter to "cve-bin/moreBlockInfo.cgi" in the Data Security block page or the `admin msg` parameter to "configure/ssl ui/eva-config/client-cert-import wsoem.html" in the Content Gateway. The vulnerability arises because the parameters are not properly handled in an error message. **Recommendations** For Websense TRITON AP-WEB versions prior to 8.0.0, update to version 8.0.0 or later. For Websense V-Series appliances version 7.7, update to a version later than 7.7. As a temporary workaround, consider restricting access to the "cve-bin/moreBlockInfo.cgi" and "configure/ssl ui/eva-config/client-cert-import wsoem.html" pages to minimize the risk of exploitation. Avoid using the `ws-userip` and `admin msg` parameters in the affected API endpoints until the issue is resolved.