Dennis Veninga

Name of the Vulnerable Software and Affected Versions: Reservo Image Hosting version 1.6 Description: The issue allows for XSS attacks, potentially enabling attackers to steal user sessions, including those of administrators, by executing malicious code when an infected URL is accessed. This is particularly concerning due to the presence of a user/admin login interface. The vulnerability is specifically related to the search engine function, which is accessible through the "t" parameter to the "/search" URI. Recommendations: For Reservo Image Hosting version 1.6, consider disabling the search engine function or restricting access to the /search URI until a fix is available. Additionally, avoid using the `t` parameter in the /search URI to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BizLogic xnami version 1.0 **Description** The issue allows for XSS via the `comment` parameter in an `addComment` action to the "/media/ajax" API endpoint. **Recommendations** For BizLogic xnami version 1.0, avoid using the `comment` parameter in the "/media/ajax" API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the `/media/ajax` API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FoxSash ImgHosting version 1.5 **Description** The issue allows for XSS attacks, specifically through the search engine function via the `search` parameter to the default URI. This could enable attackers to steal user and admin sessions by sending infected URLs, which would execute malicious code. **Recommendations** For FoxSash ImgHosting version 1.5, as a temporary workaround, consider disabling the search function until a patch is available. Restrict access to the user/admin login interface to minimize the risk of session theft. Avoid using the `search` parameter in the affected URI until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Wachipi WP Events Calendar plugin version 1.0 **Description** The issue concerns SQL Injection via the `event id` parameter to the "event.php" endpoint. This allows for potential exploitation by injecting malicious SQL code. **Recommendations** For Wachipi WP Events Calendar plugin version 1.0, avoid using the `event id` parameter in the "event.php" endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the "event.php" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.