L4Teral

**Name of the Vulnerable Software and Affected Versions** ProjectPier versions 0.8 and earlier **Description** A cross-site request forgery issue allows remote attackers to perform actions as an administrator via the query string, such as a delete project action. **Recommendations** For ProjectPier versions 0.8 and earlier, consider disabling access to the index.php file until a patch is available to prevent exploitation of the CSRF vulnerability.

**Name of the Vulnerable Software and Affected Versions** ProjectPier versions 0.8 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via various means, including a message, a milestone, or a display name in a profile, or the `a` or `c` parameter to "index.php". **Recommendations** For ProjectPier versions 0.8 and earlier, consider restricting user input for messages, milestones, and display names in profiles, and limit access to the `a` and `c` parameters in "index.php" until a fix is available.

**Name of the Vulnerable Software and Affected Versions** Typo versions 5.1.3 and earlier **Description** A cross-site scripting (XSS) issue exists in the leave comment feature, allowing remote attackers to inject arbitrary web script or HTML via the `comment[author]` and `comment[url]` parameters. This could potentially lead to malicious actions on the affected system. **Recommendations** For Typo versions 5.1.3 and earlier, consider disabling the leave comment feature until a fix is available. Restrict access to the comment[author] and comment[url] parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** eTicket version 1.5.5.2 **Description** The issue allows remote authenticated users to execute arbitrary SQL commands via the `status`, `sort`, and `way` parameters to "search.php", and remote authenticated administrators to execute arbitrary SQL commands via the `msg` and `password` parameters to "admin.php". **Recommendations** For version 1.5.5.2, consider restricting access to the "search.php" and "admin.php" files until a patch is available, and avoid using the `status`, `sort`, `way`, `msg`, and `password` parameters in these files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ILIAS versions 3.8.3 and earlier **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via attributes inside a domain-name string in the mailing or forum component. This can be achieved using the style and onmouseover HTML attributes. **Recommendations** For ILIAS versions 3.8.3 and earlier, update to a version later than 3.8.3 to resolve the issue. As a temporary workaround, consider restricting the use of the mailing and forum components until a patch is available. Avoid using the style and onmouseover HTML attributes in these components to minimize the risk of exploitation.