Jrsfaisal

**Name of the Vulnerable Software and Affected Versions** OpenSID version 18.06-pasca **Description** The issue allows for an Unrestricted File Upload via an Attachment Document in the article feature. This leads to uploading arbitrary PHP code by using a .php filename with the application/pdf Content-Type. **Recommendations** For OpenSID version 18.06-pasca, consider restricting the upload of files with executable extensions, such as .php, to prevent arbitrary code execution until a patch is available. As a temporary workaround, restrict access to the article feature's file upload functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenSID version 18.06-pasca **Description** The issue is related to reflected Cross Site Scripting (XSS) that can be triggered via the `cari` parameter in an index.php/first?cari= URI. This allows for potential malicious script injection. **Recommendations** For OpenSID version 18.06-pasca, avoid using the `cari` parameter in the affected API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the index.php/first endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenSID version 18.06-pasca **Description** The issue allows an attacker to add an account at the admin level. This is achieved via the "index.php/man user/insert" API endpoint. **Recommendations** For OpenSID version 18.06-pasca, consider restricting access to the "index.php/man user/insert" API endpoint to prevent unauthorized account additions until a fix is available.

**Name of the Vulnerable Software and Affected Versions** SLiMS versions 8.3.1 **Description** A Reflected Cross-Site Scripting (XSS) issue exists in the Master File module. The issue is triggered via an admin/modules/master file/rda cmc.php?keywords= URI. **Recommendations** For version 8.3.1, consider restricting access to the vulnerable module until a patch is available. Avoid using the `keywords` parameter in the affected API endpoint `/admin/modules/master file/rda cmc.php` until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SLiMS versions 8.3.1 **Description** A Reflected Cross-Site Scripting issue exists in the Bibliography module. This is due to insufficient input validation in the `keywords` parameter of the `/admin/modules/bibliography/index.php` API endpoint. **Recommendations** For version 8.3.1, avoid using the `keywords` parameter in the `/admin/modules/bibliography/index.php` endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the Bibliography module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SLiMS 8 Akasia version 8.3.1 **Description** The issue allows remote attackers to bypass the CSRF protection mechanism and obtain admin access by omitting the `csrf token` parameter. **Recommendations** For SLiMS 8 Akasia version 8.3.1, ensure that the `csrf token` parameter is always included and validated to prevent CSRF attacks. As a temporary workaround, consider implementing additional validation checks for the `csrf token` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SLiMS version 8.3.1 **Description** A Reflected Cross-Site Scripting (XSS) issue exists in the Stock Take module. This can be exploited via the `/admin/modules/stock take/index.php?keywords=` API endpoint, specifically through the `keywords` variable. **Recommendations** For version 8.3.1, consider restricting access to the Stock Take module until a fix is available. As a temporary workaround, avoid using the `keywords` variable in the affected API endpoint.

**Name of the Vulnerable Software and Affected Versions** SLiMS versions 8.3.1 **Description** A Reflected Cross-Site Scripting (XSS) issue exists in the Circulation module. The issue is related to a URI in the admin/modules/circulation/loan rules.php file, specifically with the `keywords` parameter. **Recommendations** For version 8.3.1, avoid using the `keywords` parameter in the `/admin/modules/circulation/loan rules.php` endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the Circulation module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SLiMS version 8.3.1 **Description** A Reflected Cross-Site Scripting (XSS) issue exists in the Membership module. This issue can be triggered via the `/admin/modules/membership/index.php?keywords=` API endpoint, where the `keywords` parameter is vulnerable. **Recommendations** For version 8.3.1, as a temporary workaround, consider restricting access to the `/admin/modules/membership/index.php` endpoint until a patch is available. Avoid using the `keywords` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.