Christopher Kunz

**Name of the Vulnerable Software and Affected Versions** PHPKIT versions 1.6.1 R2 and earlier **Description** A directory traversal issue might allow remote authenticated users to execute arbitrary PHP code. This can be achieved by including a .. (dot dot) in the `path` parameter and a %00 at the end of the `filename`, as demonstrated by an avatar `filename` ending with .png%00. **Recommendations** For PHPKIT versions 1.6.1 R2 and earlier, avoid using the `path` parameter with .. (dot dot) and %00 at the end of the `filename` until a fix is available. As a temporary workaround, consider restricting access to sensitive directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** vTiger CRM versions 4.2 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via multiple vectors, including the `account name`. This can lead to the execution of malicious scripts on the client-side. **Recommendations** For versions 4.2 and earlier, update to a version later than 4.2 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** vTiger CRM versions 4.2 and earlier **Description** The issue allows remote attackers to read or include arbitrary files and ultimately execute arbitrary PHP code via directory traversal vulnerabilities. This is achieved by using .. (dot dot) and null byte ("%00") sequences in the `module` parameter and `action` parameter in the Leads module. Attackers can also inject PHP code into log messages and access the log file. **Recommendations** For vTiger CRM versions 4.2 and earlier, consider restricting access to the Leads module and limiting the ability to inject PHP code into log messages until a fix is available. As a temporary workaround, restrict the use of the `module` and `action` parameters in the index.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** vTiger CRM versions 4.2 and earlier **Description** The issue allows remote attackers to upload arbitrary files, including PHP files, via the `add2db` action in the uploads module. **Recommendations** For versions 4.2 and earlier, consider disabling the uploads module or restricting file uploads to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** vTiger CRM versions 4.2 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via an arbitrary file in the `templatename` parameter, which is passed to the `eval()` function. **Recommendations** For versions 4.2 and earlier, consider restricting access to the Users module until a fix is available. As a temporary workaround, avoid using the `templatename` parameter in the affected module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** vTiger CRM versions 4.2 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `username` in the login form or the `record` parameter, as seen in the EditView action for the Contacts module. **Recommendations** For versions 4.2 and earlier, consider disabling the login form or restricting access to the EditView action in the Contacts module until a fix is available. Avoid using the `username` and `record` parameters in sensitive operations to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpSysInfo versions 2.4 and earlier phpgroupware versions 0.9.16 and earlier egroupware versions prior to 1.0.0.009 **Description** The issue allows remote attackers to spoof web content and poison web caches. This is achieved via CRLF sequences in the `charset` parameter. **Recommendations** For phpSysInfo versions 2.4 and earlier, update to a version later than 2.4 to resolve the issue. For phpgroupware versions 0.9.16 and earlier, update to a version later than 0.9.16 to resolve the issue. For egroupware versions prior to 1.0.0.009, update to version 1.0.0.009 or later to resolve the issue. As a temporary workaround, consider restricting access to the `charset` parameter in the affected API endpoint until a patch is available.

Multiple directory traversal vulnerabilities in index.php in phpSysInfo 2.4 and earlier, as used in phpgroupware 0.9.16 and earlier, and egrouwpware before 1.0.0.009, allow remote attackers to include arbitrary files via .. (dot dot) sequences in the (1) sensor program parameter or the (2) SERVER[HTTP ACCEPT LANGUAGE] parameter, which overwrites an internal variable, a variant of CVE-2003-0536. NOTE: due to a typo in an advisory, an issue in osh was inadvertently linked to this identifier; the proper identifier for the osh issue is CVE-2005-3346.

**Name of the Vulnerable Software and Affected Versions** SysCP versions 1.2.10 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via a string containing the code within `{` and `}` characters, which are processed by the PHP `eval()` function. **Recommendations** For SysCP versions 1.2.10 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SysCP versions 1.2.10 and earlier **Description** The issue allows remote attackers to execute arbitrary PHP code via the `language` parameter. **Recommendations** For SysCP versions 1.2.10 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Contrexx versions prior to 1.0.5 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `value` parameter to the "poll module" or the `pId` parameter to the "gallery module". **Recommendations** For versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Contrexx versions prior to 1.0.5 **Description** The issue allows remote attackers to obtain sensitive information. This can be achieved by making a direct request to the "/config/version.xml" API endpoint. **Recommendations** For versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/config/version.xml" endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Contrexx versions prior to 1.0.5 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The injection can occur via the `term` parameter to the search module or the `title` in the blog aggregation module. **Recommendations** For versions prior to 1.0.5, update to version 1.0.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the search module and blog aggregation module to minimize the risk of exploitation. Avoid using the `term` parameter in the search module and the `title` in the blog aggregation module until the issue is resolved.