Ivan Markovic

**Name of the Vulnerable Software and Affected Versions** emuCMS versions 0.3 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `query` or `page` parameters in index.php. This can lead to cross-site scripting (XSS) attacks. **Recommendations** For emuCMS versions 0.3 and earlier, as a temporary workaround, consider restricting access to the index.php file until a patch is available. Avoid using the `query` and `page` parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** vtiger CRM versions 4.2.4 and earlier **Description** The issue concerns an unrestricted file upload vulnerability. This vulnerability allows remote attackers to upload and execute arbitrary files with executable extensions in the /cashe/mails folder. **Recommendations** For versions 4.2.4 and earlier, consider restricting access to the fileupload.html module to minimize the risk of exploitation. As a temporary workaround, restrict file uploads to only necessary and validated file types to prevent the execution of arbitrary files.

**Name of the Vulnerable Software and Affected Versions** vtiger CRM versions 4.2.4 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via the `description` parameter in unspecified modules or the `solution` parameter in the HelpDesk module. **Recommendations** For vtiger CRM versions 4.2.4 and earlier, consider restricting access to the vulnerable modules and parameters, such as the `description` parameter and the `solution` parameter in the HelpDesk module, until a fix is available. As a temporary workaround, avoid using the `description` and `solution` parameters in the affected modules to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** vtiger CRM versions 4.2.4 and earlier **Description** The issue allows remote attackers to bypass authentication and access administrative modules by making a direct request to "index.php" with a modified `module` parameter. This can be demonstrated using the Settings module. **Recommendations** For versions 4.2.4 and earlier, consider restricting access to the "index.php" endpoint to minimize the risk of exploitation. As a temporary workaround, limit the use of the `module` parameter in the "index.php" endpoint until a fix is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SD Studio CMS (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `news id`, `tid`, and `page id` parameters in the index.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.