Patrick Hof

**Name of the Vulnerable Software and Affected Versions** BibORB versions 1.3.2 and earlier **Description** The issue allows remote attackers to inject arbitrary HTML and web script via the `search` parameter in the "bibindex.php" file. This enables attackers to perform cross-site scripting (XSS) attacks. **Recommendations** For BibORB versions 1.3.2 and earlier, as a temporary workaround, consider restricting access to the "bibindex.php" file or sanitizing the `search` parameter to prevent injection of malicious scripts. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BibORB versions 1.3.2 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `Username` or `Password` variables. **Recommendations** For BibORB versions 1.3.2 and earlier, update to a version that fixes this issue, as no specific workaround is provided for these versions. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BibORB versions 1.3.2 and earlier **Description** The issue allows remote attackers to delete arbitrary files via a Delete action and .. (dot dot) sequences in the `database name` parameter in index.php. **Recommendations** For BibORB versions 1.3.2 and earlier, as a temporary workaround, consider restricting access to the Delete action in index.php to minimize the risk of exploitation. Avoid using the `database name` parameter with .. (dot dot) sequences in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BibORB versions 1.3.2 and earlier **Description** The issue is related to the improper enforcement of a restriction for uploading only PDF and PS files. This allows remote attackers to upload arbitrary files, which are then presented to other users with PDF or PS icons. This could potentially trick some users into downloading and executing those files. **Recommendations** For BibORB versions 1.3.2 and earlier, consider restricting file uploads to only PDF and PS files as a temporary workaround until a patch is available. Additionally, users should be cautious when downloading files, even if they are presented with PDF or PS icons. At the moment, there is no information about a newer version that contains a fix for this vulnerability.