Samrat Das

**Nome do software vulnerável e versões afetadas** Oracle E-Business Suite, versões 12.2.6 a 12.2.9 **Descrição** O problema está relacionado a um controle de acesso inadequado nos componentes de Registro e Manutenção de Ausências do Oracle Human Resources. Isso permite que um invasor com poucos privilégios e acesso à rede via HTTP comprometa o Oracle Human Resources, exigindo a interação humana de alguém que não seja o próprio invasor. Ataques bem-sucedidos podem resultar em acesso não autorizado para atualizar, inserir ou excluir alguns dos dados acessíveis do Oracle Human Resources, podendo afetar outros produtos. **Recomendações** Para as versões 12.2.6 a 12.2.9, atualize para uma versão que inclua a correção para este problema, a fim de impedir o acesso não autorizado e a modificação de dados. No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Frog CMS version 0.9.5 **Description** The issue is related to the lack of an anti-CSRF token in state modification requests, specifically in the "add user" functionality. This allows a malicious user to craft an HTML page that can trick a victim into creating a new user with admin privileges when clicked. The vulnerable endpoint is "/admin/?/user/add". **Recommendations** For Frog CMS version 0.9.5, consider implementing an anti-CSRF token in state modification requests to prevent cross-site request forgery attacks. As a temporary workaround, restrict access to the "/admin/?/user/add" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** October CMS versions through 1.0.431 The RainLab Blog Plugin used in October CMS versions through 1.0.431 **Description** The issue allows for XSS by entering HTML on the Add Posts page. This can be exploited through the RainLab Blog Plugin. **Recommendations** For October CMS versions through 1.0.431, update to a version that includes a fix for this issue. For The RainLab Blog Plugin used in October CMS versions through 1.0.431, consider disabling the plugin until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FrontAccounting version 2.4.3 **Description** The issue concerns a CSRF flaw that allows adding a user account via the "add user" feature of the User Permissions page, accessible through the admin/users.php endpoint. **Recommendations** For FrontAccounting version 2.4.3, consider implementing CSRF protection measures to prevent unauthorized actions, such as adding a user account through the admin/users.php endpoint. As a temporary workaround, restrict access to the admin/users.php endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: WonderCMS version 2.3.1 Description: The issue concerns the upload functionality, which accepts random application extensions, leading to malicious file upload. Recommendations: For WonderCMS version 2.3.1, consider disabling the upload functionality until a patch is available to prevent malicious file uploads.

Name of the Vulnerable Software and Affected Versions: WonderCMS version 2.3.1 Description: The application's input fields accept arbitrary user input, resulting in the execution of malicious JavaScript. It is noted that the vendor disputes this issue, stating it is a feature that enables only a logged-in administrator to write and execute JavaScript anywhere on their website. Recommendations: For WonderCMS version 2.3.1, as a temporary workaround, consider restricting access to input fields to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: WonderCMS version 2.3.1 Description: The issue allows for an HTTP Host header injection attack. It utilizes user-entered values to redirect pages. The vendor notes that exploitation is unlikely since the attack can only originate from a local machine or from the administrator as a self-attack. Recommendations: For WonderCMS version 2.3.1, consider restricting the use of user-entered values in page redirects until a fix is available. As a temporary workaround, limit the ability to modify redirect pages to authorized personnel only.