Mukhammad Khalilov

**Name of the Vulnerable Software and Affected Versions** Imagely NextGen Gallery plugin for Wordpress versions prior to 2.1.57 **Description** The issue arises from improper validation of user input in the `cssfile` parameter of an HTTP POST request. This may allow an authenticated user to read arbitrary files from the server or execute arbitrary code on the server, depending on the server configuration. **Recommendations** For versions prior to 2.1.57, update to version 2.1.57 or later to resolve the issue. As a temporary workaround, consider restricting access to the `cssfile` parameter in the HTTP POST request to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QPR Portal versions 2014.1.1 and earlier **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the note-creation page. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `title` or `body` field. **Recommendations** For QPR Portal versions 2014.1.1 and earlier, update to a version later than 2014.1.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** QPR Portal versions 2014.1.1 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `RID` parameter. This could potentially lead to unauthorized actions on the affected system. **Recommendations** For QPR Portal versions 2014.1.1 and earlier, update to a version later than 2014.1.1 to resolve the issue. As a temporary workaround, consider restricting access to the `RID` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** QPR Portal versions prior to 2012.2.1 **Description** The issue allows remote attackers to modify or delete notes by making a direct request. **Recommendations** For versions prior to 2012.2.1, update to version 2012.2.1 or later to resolve the issue.