Marcus Nilsson

**Nome do software vulnerável e versões afetadas** Versões do Logpoint anteriores à 7.1.0 **Descrição** A vulnerabilidade permite um ataque Self-XSS na página de autenticação LDAP por meio do campo `username` do formulário de login LDAP. **Recomendações** Para versões anteriores à 7.1.0, atualize para a versão 7.1.0 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso ao formulário de login LDAP para minimizar o risco de exploração. Evite usar nomes de usuário maliciosos no formulário afetado até que o problema seja resolvido.

**Name of the Vulnerable Software and Affected Versions** Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 **Description** The issue allows remote attackers to obtain sensitive information via the `User Profile` field. This is a CSV Injection vulnerability, which can be exploited by attackers to gain access to sensitive data. **Recommendations** For Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6, consider restricting access to the `User Profile` field until a patch is available. As a temporary workaround, avoid using the `User Profile` field in remote interactions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 **Description** An issue in Sesami Cash Point & Transport Optimizer (CPTO) allows local attackers to obtain sensitive information and bypass authentication via a "Back Button Refresh" attack. **Recommendations** For Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 **Description** An issue was discovered that allows remote attackers to obtain sensitive information and bypass profile restriction via improper access control in the Reader system user's web browser, allowing the journal to be displayed, despite the option being disabled. **Recommendations** For Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6, consider disabling the Reader system user's web browser access to the journal as a temporary workaround until a patch is available. Restrict access to the journal to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 **Description** The issue allows remote attackers to obtain sensitive information via the `Delivery Name` field. This is a result of a CSV Injection vulnerability. **Recommendations** For Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6, consider restricting access to the `Delivery Name` field until a patch is available. As a temporary workaround, avoid using the `Delivery Name` field in sensitive operations to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 **Description** The issue allows attackers to obtain sensitive information via the `User Name` field. This is a CSV Injection vulnerability, which can be exploited to gain unauthorized access to data. **Recommendations** For Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6, consider restricting access to the `User Name` field until a patch is available. As a temporary workaround, avoid using the `User Name` field in sensitive operations to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 **Description** The issue allows remote attackers to execute arbitrary code and obtain sensitive information via the `User ID` field when creating a new system user. This is a Cross Site Scripting (XSS) vulnerability. **Recommendations** For Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6, consider disabling the creation of new system users until a patch is available to prevent exploitation via the `User ID` field. Avoid using the `User ID` field in the affected functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 **Description** The issue allows remote attackers to execute arbitrary code via the `Barcode` field of a container. This is a Cross Site Scripting (XSS) vulnerability. **Recommendations** For Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6, consider disabling the `Barcode` field functionality until a patch is available to prevent exploitation. Restrict access to the container's `Barcode` field to minimize the risk of arbitrary code execution. Avoid using the `Barcode` field in the affected container until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 **Description** An issue in Sesami Cash Point & Transport Optimizer (CPTO) allows remote attackers to obtain sensitive information via transmission of unencrypted, cleartext credentials during the Password Reset feature. **Recommendations** For version 6.3.8.6, consider disabling the Password Reset feature until a patch is available to prevent the transmission of unencrypted credentials. Restrict access to sensitive information to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 **Description** The issue allows remote attackers to execute arbitrary code and obtain sensitive information via the `Username` field of the login form and application log. This is a Stored Cross Site Scripting (XSS) issue. **Recommendations** For Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6, consider disabling the login form's `Username` field until a patch is available to prevent exploitation. Restrict access to the application log to minimize the risk of sensitive information disclosure. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6 **Description** A Cross Site Scripting (XSS) issue allows remote attackers to execute arbitrary code via the `Teller` field. This enables attackers to inject malicious scripts into the website, potentially leading to unauthorized actions. **Recommendations** For Sesami Cash Point & Transport Optimizer (CPTO) version 6.3.8.6, consider disabling the `Teller` field functionality until a patch is available to prevent exploitation. Additionally, restrict access to sensitive areas of the application to minimize the risk of arbitrary code execution.

**Name of the Vulnerable Software and Affected Versions** SESAMI planfocus CPTO (Cash Point & Transport Optimizer) version 6.3.8.6 718 **Description** An issue was discovered in the software, allowing for XSS via the `Name` field when modifying a client. **Recommendations** For SESAMI planfocus CPTO (Cash Point & Transport Optimizer) version 6.3.8.6 718, consider restricting input to the `Name` field to prevent XSS attacks until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** A flaw was found in the "execute-actions-email" endpoint of Keycloak, allowing arbitrary HTML to be injected into emails sent to Keycloak users. This issue can be misused to perform phishing or other attacks against users, essentially conducting a cross-site scripting (XSS) attack. The flaw is related to inadequate protection measures of the web page structure. **Recommendations** As a temporary workaround, consider disabling the `execute-actions-email` endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using this endpoint to send emails containing potentially malicious content until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Nome do software vulnerável e versões afetadas** Versões do Gophish anteriores à 0.11.0 **Descrição** A vulnerabilidade permite que invasores provoquem uma negação de serviço por meio de um ataque de clickjacking, visando especificamente o botão “Redefinir” na página “Configurações da conta”. **Recomendações** Para versões anteriores à 0.11.0, atualize para a versão 0.11.0 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso à página “Configurações da conta” para minimizar o risco de exploração.

**Nome do software vulnerável e versões afetadas** Versões do Gophish anteriores à 0.11.0 **Descrição** O problema está relacionado a uma vulnerabilidade de Cross Site Scripting (XSS). Ela ocorre por meio do campo “Host IMAP” na página de configurações da conta. **Recomendações** Para versões anteriores à 0.11.0, atualize para a versão 0.11.0 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso ao campo Host IMAP na página de configurações da conta até que um patch seja aplicado.

**Nome do software vulnerável e versões afetadas** Versões do Gophish anteriores à 0.10.2 **Descrição** O problema ocorre porque o Gophish não invalida o cookie `gophish` quando um usuário faz logout. Isso poderia permitir o acesso não autorizado. **Recomendações** Para versões anteriores à 0.10.2, atualize para a versão 0.10.2 ou posterior para garantir que o cookie `gophish` seja invalidado corretamente ao sair da conta.

**Nome do software vulnerável e versões afetadas** Versões do Gophish anteriores à 0.11.0 **Descrição** O problema está relacionado a uma vulnerabilidade de Cross Site Scripting (XSS). Ela ocorre por meio do campo Host no formulário de perfil de envio. **Recomendações** Para versões anteriores à 0.11.0, atualize para a versão 0.11.0 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso ao campo Host no formulário de perfil de envio até que um patch esteja disponível.

**Nome do software vulnerável e versões afetadas** Versões do Gophish anteriores à 0.10.2 **Descrição** Existe uma vulnerabilidade de Cross Site Scripting (XSS), permitindo a execução de scripts maliciosos por meio de uma página de destino ou modelo de e-mail especialmente criados. **Recomendações** Para versões anteriores à 0.10.2, atualize para a versão 0.10.2 ou posterior para resolver o problema.

**Nome do software vulnerável e versões afetadas** Versões do Gophish anteriores à 0.11.0 **Descrição** A vulnerabilidade permite a criação de planilhas CSV que contêm conteúdo malicioso. **Recomendações** Para versões anteriores à 0.11.0, atualize para a versão 0.11.0 ou posterior para resolver o problema.

**Nome do software vulnerável e versões afetadas** Versões do Gophish anteriores à 0.11.0 **Descrição** A vulnerabilidade permite ataques de falsificação de solicitação do lado do servidor (SSRF). Isso significa que um invasor pode forçar o servidor a realizar solicitações não autorizadas, levando a vários problemas de segurança. **Recomendações** Para versões anteriores à 0.11.0, atualize para a versão 0.11.0 ou posterior para resolver o problema.