Pablo Martinez

**Nome do software vulnerável e versões afetadas: bPanel versão 2.0 Descrição: Os pontos de extremidade ajax administrativos, como `ajax/aj *.php`, são acessíveis sem autenticação e permitem injeções SQL, o que pode comprometer a plataforma. Recomendações: Para o bPanel versão 2.0, considere restringir o acesso aos pontos de extremidade ajax administrativos, como `ajax/aj *.php`, até que uma correção esteja disponível para impedir o acesso não autorizado e as injeções SQL.

**Nome do software vulnerável e versões afetadas** Versões do DB Soft SGLAC anteriores à 20.05.001 **Descrição** Uma falha no front-end web do SGLAC permite que um invasor execute comandos SQL arbitrários no SQL Server. Isso pode ser feito utilizando o procedimento armazenado `xp cmdshell` por meio do método `ProcedimientoGenerico` no serviço web `SVCManejador.svc`. **Recomendações** Para versões anteriores à 20.05.001, atualize para a versão 20.05.001 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso ao serviço web `SVCManejador.svc` para minimizar o risco de exploração. Evite usar o procedimento armazenado `xp cmdshell` no SQL Server afetado até que o problema seja resolvido.

**Name of the Vulnerable Software and Affected Versions** Divisa Proxia Suite versions prior to 9.12.16 Divisa Proxia Suite version 9.11.19 Divisa Proxia Suite version 9.10.26 Divisa Proxia Suite version 9.9.8 Divisa Proxia Suite version 9.8.43 Divisa Proxia Suite version 9.7.10 Divisa Proxia Suite versions 10.0 prior to 10.0.32 Divisa Proxia Suite versions 10.1 prior to 10.1.5 SparkSpace versions 1.0 prior to 1.0.30 SparkSpace versions 1.1 prior to 1.1.2 SparkSpace versions 1.2 prior to 1.2.4 Proxia PHR versions 1.0 prior to 1.0.30 Proxia PHR versions 1.1 prior to 1.1.2 **Description** The issue allows remote code execution via untrusted Java deserialization. The `proxia-error` cookie is insecurely deserialized in every request, enabling an unauthenticated attacker to craft a serialized payload and execute arbitrary code via the `prepareError` function in the `com.divisait.dv2ee.controller.MVCControllerServlet` class of the `dv2eemvc.jar` component. **Recommendations** For Divisa Proxia Suite versions prior to 9.12.16, update to version 9.12.16 or later. For Divisa Proxia Suite version 9.11.19, update to version 9.12.16 or later. For Divisa Proxia Suite version 9.10.26, update to version 9.12.16 or later. For Divisa Proxia Suite version 9.9.8, update to version 9.12.16 or later. For Divisa Proxia Suite version 9.8.43, update to version 9.12.16 or later. For Divisa Proxia Suite version 9.7.10, update to version 9.12.16 or later. For Divisa Proxia Suite versions 10.0 prior to 10.0.32, update to version 10.0.32 or later. For Divisa Proxia Suite versions 10.1 prior to 10.1.5, update to version 10.1.5 or later. For SparkSpace versions 1.0 prior to 1.0.30, update to version 1.0.30 or later. For SparkSpace versions 1.1 prior to 1.1.2, update to version 1.1.2 or later. For SparkSpace versions 1.2 prior to 1.2.4, update to version 1.2.4 or later. For Proxia PHR versions 1.0 prior to 1.0.30, update to version 1.0.30 or later. For Proxia PHR versions 1.1 prior to 1.1.2, update to version 1.1.2 or later. As a temporary workaround, consider disabling the `prepareError` function in the `com.divisait.dv2ee.controller.MVCControllerServlet` class until a patch is available.

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 9.4.4 **Description** The issue allows for account takeover by exploiting the autocompletion feature in ajax/autocompletion.php due to a lack of proper validation. This enables an attacker to recover the token generated during the password reset process, allowing them to set an arbitrary password for any user, including admin accounts. Additionally, this could be used to obtain sensitive information such as API keys or password hashes. **Recommendations** For versions prior to 9.4.4, update to version 9.4.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the ajax/autocompletion.php endpoint until a patch is applied. Avoid using the password reset functionality until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Ampache versions through 3.9.1 **Description** An issue in the search engine allows for SQL Injection, enabling any user, including guest users, to extract data from the database, such as sessions and hashed passwords. This could lead to the compromise of admin accounts, especially when combined with the weak password generator algorithm in the lostpassword functionality. **Recommendations** For Ampache versions through 3.9.1, consider restricting access to the search functionality, specifically the lib/class/search.class.php file, until a fix is available. As a temporary workaround, limit the use of the lostpassword functionality to prevent exploitation of the weak password generator algorithm.

**Name of the Vulnerable Software and Affected Versions** Ampache versions prior to 3.9.2 **Description** A stored XSS issue exists in the localplay.php LocalPlay "add instance" functionality, allowing injected code to be reflected in the instances menu. This can be exploited to force an admin into creating a new privileged user with known credentials. **Recommendations** For versions prior to 3.9.2, update to version 3.9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the localplay.php LocalPlay "add instance" functionality to minimize the risk of exploitation.