Jing Wang

**Name of the Vulnerable Software and Affected Versions** phpwind version 8.7 **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the `url` parameter in the goto.php file. **Recommendations** For phpwind version 8.7, consider restricting access to the goto.php file or validating the `url` parameter to prevent redirects to unauthorized sites until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SuperWebMailer versions 5.60.0.01190 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `HTMLForm` parameter. This could potentially lead to unauthorized actions on the affected system. **Recommendations** For SuperWebMailer versions 5.60.0.01190 and earlier, as a temporary workaround, consider restricting access to the defaultnewsletter.php file until a patch is available. Avoid using the `HTMLForm` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Webshop hun version 1.062S **Description** A directory traversal issue exists, allowing remote attackers to have an unspecified impact by using directory traversal sequences in the `mappa` parameter to the "index.php" endpoint. **Recommendations** For Webshop hun version 1.062S, consider restricting access to the `mappa` parameter in the "index.php" endpoint until a fix is available.

**Name of the Vulnerable Software and Affected Versions** Webshop hun version 1.062S **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `termid` or `nyelv id` parameter to the "index.php" endpoint. **Recommendations** For version 1.062S, consider restricting access to the `index.php` endpoint until a patch is available, and avoid using the `termid` and `nyelv id` parameters in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NetCat versions 5.01 and earlier **Description** The issue allows remote attackers to obtain the installation path. This is achieved via the `redirect url` parameter to "netshop/post.php" API endpoint. **Recommendations** For NetCat versions 5.01 and earlier, avoid using the `redirect url` parameter in the "netshop/post.php" API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** DLGuard version 4.5 **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved by manipulating the `c` parameter in the "index.php" endpoint. **Recommendations** For DLGuard version 4.5, consider restricting access to the "index.php" endpoint until a patch is available, and avoid using the `c` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DLGuard versions 4.5 through 5 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via specific parameters, including the `page`, `c`, or `redirect` parameter to `index.php`, or the `searchTerm` parameter in the main page's search field. **Recommendations** For DLGuard versions 4.5 through 5, consider restricting access to the `index.php` page and limiting user input for the `page`, `c`, `redirect`, and `searchTerm` parameters until a fix is available. As a temporary workaround, avoid using the search field in the main page and restrict the use of the vulnerable parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** my little forum versions 1.7 through 2.3.3 **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `page` or `category` parameter to "forum.php" or the `page` or `order` parameter to "board entry.php" or "forum entry.php". **Recommendations** For my little forum versions 1.7 through 2.3.3, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Ex Libris Patron Directory Services (PDS) NYU OpenSSO Integration versions 2.1 and earlier **Description** A cross-site scripting (XSS) issue exists in the logon page, allowing remote attackers to inject arbitrary web script or HTML via the `url` parameter. This enables attackers to execute malicious scripts on the client-side. **Recommendations** For Ex Libris Patron Directory Services (PDS) NYU OpenSSO Integration versions 2.1 and earlier, consider restricting access to the logon page until a fix is available. As a temporary workaround, avoid using the `url` parameter in the logon page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** goYWP WebPress version 13.00.06 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The affected parameters include `search param` to the "search.php" endpoint, and `name`, `address`, or `comment` parameters to the "forms.php" endpoint. **Recommendations** For goYWP WebPress version 13.00.06, as a temporary workaround, consider validating and sanitizing user input for the `search param` parameter in "search.php" and the `name`, `address`, and `comment` parameters in "forms.php" to prevent XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PingFederate version 6.10.1 **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks. This is achieved via a URL in the `TargetResource` parameter in the startSSO.ping endpoint. **Recommendations** For PingFederate version 6.10.1, consider restricting access to the startSSO.ping endpoint to minimize the risk of exploitation. Avoid using the `TargetResource` parameter in this endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Ad-Manager plugin version 1.1.2 **Description** The issue allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the `out` parameter. This is achieved through an open redirect vulnerability in the track-click.php file. **Recommendations** For Ad-Manager plugin version 1.1.2, update to a version that fixes this issue to prevent open redirects. As a temporary workaround, consider restricting access to the track-click.php file to minimize the risk of exploitation. Avoid using the `out` parameter in the affected API endpoint until the issue is resolved.