Okan Kurtuluş

**Nome do software vulnerável e versões afetadas** X2CRM versão 8.5 **Descrição** A vulnerabilidade consiste em um ataque de Cross-Site Scripting (XSS) armazenado no módulo “Oportunidades”. Um invasor pode injetar código JavaScript malicioso no campo `Nome` ao criar uma lista. **Recomendações** Para o X2CRM versão 8.5, como solução temporária, considere restringir o acesso ao módulo “Oportunidades” para minimizar o risco de exploração. Evite usar o campo `Nome` no módulo afetado até que o problema seja resolvido. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Nome do software vulnerável e versões afetadas** Vtiger CRM versão 8.2.0 **Descrição** O problema está relacionado a uma vulnerabilidade de injeção de HTML no parâmetro `module`. Isso permite que usuários autenticados injetem HTML arbitrário. **Recomendações** Para o Vtiger CRM versão 8.2.0, considere restringir o acesso ao parâmetro `module` para impedir a injeção de HTML até que uma correção esteja disponível.

**Name of the Vulnerable Software and Affected Versions** October CMS version 3.4.4 **Description** The issue allows attackers to execute arbitrary code via a crafted file, specifically an svg file, which can be uploaded to the system. This can be done in the context of a browser and requires the attacker to be authenticated as a user. **Recommendations** For October CMS version 3.4.4, consider disabling the file upload feature, especially for svg files, until a patch is available to prevent arbitrary code execution. Restrict access to the file upload module to minimize the risk of exploitation. Avoid using the file upload functionality with untrusted files or sources until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CMS Made Simple version 2.2.17 **Description** A Cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the File Upload function. **Recommendations** For CMS Made Simple version 2.2.17, update to a version that fixes this issue to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** Food Ordering System version 1.0 **Description** A SQL Injection issue allows attackers to execute commands on the database by sending crafted SQL queries to the `ID` parameter. **Recommendations** For Food Ordering System version 1.0, avoid using the `ID` parameter in SQL queries until a fix is available. Consider implementing input validation and sanitization for the `ID` parameter to prevent malicious SQL queries.

**Name of the Vulnerable Software and Affected Versions** CMS Made Simple version 2.2.17 **Description** The issue allows for Remote Command Execution via the File Upload Function. **Recommendations** For CMS Made Simple version 2.2.17, update to a version that fixes this issue.

**Name of the Vulnerable Software and Affected Versions** ReQlogic version 11.3 **Description** The issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `POBatch` and `WaitDuration` parameters. This enables the execution of malicious code on the web application. **Recommendations** For ReQlogic version 11.3, consider restricting access to the `POBatch` and `WaitDuration` parameters to minimize the risk of exploitation. Avoid using these parameters until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.