Robin Verton

Name of the Vulnerable Software and Affected Versions: ServiceNow versions prior to Release Jakarta Patch 8 Description: The issue allows remote attackers to execute arbitrary code via '${xyz}' Glide Scripting Injection in the `sysparm media` parameter of the report viewer.do endpoint. Recommendations: For versions prior to Release Jakarta Patch 8, update to a version newer than Release Jakarta Patch 8 to resolve the issue. As a temporary workaround, consider restricting access to the `sysparm media` parameter in the report viewer.do endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Trovebox versions prior to 4.0.0-rc6 **Description** The issue is related to an unsafe password reset token generation in the user component, which can lead to password reset. This can be exploited via an HTTP request. **Recommendations** For versions prior to 4.0.0-rc6, update to a version that includes the fix committed after 742b8ed to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Trovebox versions prior to 4.0.0-rc6 (after commit 742b8ed contains the fix, implying versions up to 4.0.0-rc6 are affected) **Description** The issue is related to a Server-Side request forgery vulnerability in the webhook component. This can lead to unauthorized read or update of internal resources. The attack is exploitable via an HTTP request. **Recommendations** For Trovebox versions prior to 4.0.0-rc6, update to a version that includes the fix committed after 742b8ed to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Trovebox versions prior to 4.0.0-rc6 (after commit 742b8ed contains the fix, implying versions before this commit are affected) **Description** The issue is related to a SQL Injection vulnerability in the album component, which can lead to SQL code injection. This can be exploited via an HTTP request. **Recommendations** For Trovebox versions prior to 4.0.0-rc6, update to a version that includes the fix committed after 742b8ed to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Trovebox versions prior to 4.0.0-rc6 (after commit 742b8edbe contains the fix) **Description** The issue is related to a PHP Type juggling vulnerability in the album view component, which can lead to authentication bypass. This can be exploited via an HTTP request. **Recommendations** For versions prior to 4.0.0-rc6, update to a version that includes the fix committed after 742b8edbe to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Kaltura versions prior to 13.2.0 **Description** The issue concerns the wiki decode Developer System Helper function in the admin panel, which allows remote attackers to conduct PHP object injection attacks. This enables the execution of arbitrary PHP code via a crafted serialized object. **Recommendations** For versions prior to 13.2.0, update to version 13.2.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Kaltura versions prior to 13.2.0 **Description** The issue concerns the getUserzoneCookie function, which uses a hardcoded cookie secret to validate cookie signatures. This allows remote attackers to bypass an intended protection mechanism, conduct PHP object injection attacks, and execute arbitrary PHP code via a crafted userzone cookie. **Recommendations** For versions prior to 13.2.0, update to version 13.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the getUserzoneCookie function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** webSPELL versions 4.0 and later **Description** The issue allows remote attackers to bypass authentication by utilizing a `ws auth` cookie. **Recommendations** For webSPELL version 4.0 and later, update to a version that includes a fix for this authentication bypass issue.

**Name of the Vulnerable Software and Affected Versions** webSPELL (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands via a `ws auth` cookie. This is a distinct issue from other known vulnerabilities. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** dotProject versions 2.0.1 and earlier **Description** The issue allows remote attackers to obtain sensitive configuration information because certain files, specifically `phpinfo.php` and `check.php`, remain accessible under the `/docs/` directory after installation. The vendor disputes this issue, stating it could only occur if the administrator ignores installation instructions and warnings generated by `check.php`. **Recommendations** For dotProject versions 2.0.1 and earlier, ensure that `phpinfo.php` and `check.php` are not accessible under the `/docs/` directory after installation by following the installation instructions carefully and addressing any warnings generated by `check.php`. As a temporary workaround, consider restricting access to the `/docs/` directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHP-Nuke version 7.8 **Description** The issue allows remote attackers to execute arbitrary SQL commands due to multiple SQL injection vulnerabilities in the modules.php file when magic quotes gpc is disabled. This is achieved by exploiting the `name`, `sid`, and `pid` parameters in a POST request, which bypasses the security checks performed for GET requests. **Recommendations** For PHP-Nuke version 7.8, consider disabling the modules.php file or restricting access to it until a patch is available. As a temporary workaround, enable magic quotes gpc to prevent SQL injection attacks via the `name`, `sid`, and `pid` parameters in POST requests. Restrict input for these parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** AlstraSoft Affiliate Network Pro version 7.2 **Description** The issue allows remote attackers to bypass authentication and execute arbitrary SQL commands. This can be achieved via the `username` or `password` to admin/admin validate login, or the `login`, `password`, and `flag` parameters to "login validate.php". **Recommendations** For AlstraSoft Affiliate Network Pro version 7.2, consider disabling the login functionality until a patch is available to prevent exploitation. Restrict access to the "login validate.php" endpoint to minimize the risk of SQL injection attacks. Avoid using the `username`, `password`, and `flag` parameters in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** AlstraSoft Template Seller Pro version 3.25 **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `username` field in the admin/index.php file. **Recommendations** For version 3.25, update to a newer version that contains a fix for this issue, or as a temporary workaround, consider restricting access to the admin/index.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** AlstraSoft Template Seller Pro version 3.25 **Description** The issue allows remote attackers to execute arbitrary PHP code via the `config[basepath]` parameter in the payment paypal.php file. **Recommendations** For AlstraSoft Template Seller Pro version 3.25, consider restricting access to the vulnerable payment paypal.php file until a patch is available. As a temporary workaround, avoid using the `config[basepath]` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** AlstraSoft Affiliate Network Pro version 7.2 **Description** A direct static code injection issue exists in the admin options manage.php file, allowing attackers to execute arbitrary PHP code via the `number` parameter. It is unclear whether administrator privileges are required to exploit this issue. **Recommendations** For AlstraSoft Affiliate Network Pro version 7.2, consider restricting access to the admin options manage.php file and the `number` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** AlstraSoft Affiliate Network Pro version 7.2 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. Specifically, the vulnerabilities are found in the Err parameter in `admin/index.php` and the `firstname` and `lastname` parameters in `index.php`. **Recommendations** For AlstraSoft Affiliate Network Pro version 7.2, consider validating and sanitizing user input for the Err parameter in `admin/index.php` and the `firstname` and `lastname` parameters in `index.php` to prevent XSS attacks. As a temporary workaround, restrict access to these parameters until a patch is available.

**Name of the Vulnerable Software and Affected Versions** AlstraSoft Affiliate Network Pro version 7.2 **Description** The issue allows remote attackers to obtain sensitive information by making a direct request to certain scripts, including `togateway.php` and other unspecified scripts. **Recommendations** For AlstraSoft Affiliate Network Pro version 7.2, consider restricting access to the `togateway.php` script and other vulnerable scripts to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion versions 6.00.206 and earlier **Description** The issue allows remote attackers to obtain the full path via unspecified vectors due to an unspecified vulnerability in the subheader.php file. **Recommendations** For PHP-Fusion versions 6.00.206 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion versions 6.00.206 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `forum id` parameter to "options.php" or the `lastvisited` parameter to "viewforum.php". **Recommendations** For PHP-Fusion versions 6.00.206 and earlier, update to a version later than 6.00.206 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PHPCalendar version 1.0 PHPClique version 1.0 PHPCurrently version 2.0 PHPFanBase versions 2.1 through 2.2 PHPQuotes version 1.0 **Description** The issue allows remote attackers to include arbitrary local files via the `siteurl` parameter when `register globals` is enabled. **Recommendations** For PHPCalendar version 1.0, consider disabling the `siteurl` parameter until a patch is available. For PHPClique version 1.0, restrict access to the vulnerable module to minimize the risk of exploitation. For PHPCurrently version 2.0, avoid using the `siteurl` parameter in the affected API endpoint until the issue is resolved. For PHPFanBase versions 2.1 through 2.2, as a temporary workaround, consider disabling the functionality that uses the `siteurl` parameter. For PHPQuotes version 1.0, restrict the use of the `siteurl` parameter to prevent arbitrary file inclusion.