Sureshbabu Narvaneni

**Name of the Vulnerable Software and Affected Versions** Open-AudIT versions prior to 2.2 **Description** The issue affects Open-AudIT, where a CSV injection is possible. **Recommendations** For versions prior to 2.2, update to version 2.2 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: jDownloads extension versions prior to 3.2.59 for Joomla! Description: The issue allows for XSS, which can be exploited by attackers. Recommendations: For versions prior to 3.2.59, update to version 3.2.59 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WolfCMS version 0.8.3.1 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack user authentication for requests that modify plugin settings by crafting a malicious request. This can be done by exploiting the `plugin/[pluginname]/settings` endpoint. **Recommendations** For WolfCMS version 0.8.3.1, consider implementing proper CSRF protection mechanisms, such as token-based validation, to prevent unauthorized requests from modifying plugin settings. As a temporary workaround, restrict access to the `plugin/[pluginname]/settings` endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WolfCMS version 0.8.3.1 **Description** The issue concerns an open redirect vulnerability in the login functionality. This vulnerability allows remote attackers to redirect users to arbitrary web sites, potentially leading to phishing attacks. The vulnerability is exploited via a malformed URL, specifically targeting the `login[redirect]` parameter in the login functionality. **Recommendations** For WolfCMS version 0.8.3.1, consider restricting access to the login functionality until a fix is available, and avoid using the `login[redirect]` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GetSimple CMS version 3.3.13 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML. This is demonstrated by the `movieName` parameter. **Recommendations** For GetSimple CMS version 3.3.13, update to a version that fixes this issue to prevent exploitation. As a temporary workaround, consider restricting access to the `uploadify.swf` file in the `admin/template/js/uploadify` directory until a patch is available. Avoid using the `movieName` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Joom Sky JS Jobs extension versions prior to 1.2.1 **Description** The issue is related to a XSS problem. **Recommendations** For versions prior to 1.2.1, update to version 1.2.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** AcyMailing extension versions prior to 5.9.6 for Joomla! **Description** The issue exists in the export feature of the AcyMailing extension, where a value is mishandled in a CSV export, leading to CSV Injection, also known as Excel Macro Injection or Formula Injection. **Recommendations** For versions prior to 5.9.6, update to version 5.9.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** AcySMS extension versions prior to 3.5.1 for Joomla! **Description** The issue exists in the export feature of the AcySMS extension, where a value is mishandled in a CSV export, leading to CSV Injection, also known as Excel Macro Injection or Formula Injection. **Recommendations** For versions prior to 3.5.1, update to version 3.5.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OpenCMS version 10.5.3 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrative users for requests that perform privilege escalation. The system stores uploaded content, such as SVG files, in the CMS content repository without modification. If an SVG file contains a script, it may be executed, potentially leading to malicious activity. To exploit this issue, a user must have an account in the CMS as a content manager. **Recommendations** For OpenCMS version 10.5.3, consider disabling the `user role.jsp` page in `system/workplace/admin/accounts/` until a patch is available to prevent privilege escalation requests. Restrict access to the CMS content repository to minimize the risk of exploitation. Avoid allowing registered users to upload potentially malicious content, such as SVG files containing scripts, until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Alkacon OpenCMS version 10.5.3 **Description** A cross-site scripting (XSS) issue exists in the gallery function, allowing remote attackers to inject arbitrary web script or HTML via a malicious SVG image. This can be exploited by attackers to execute malicious code on the victim's browser. **Recommendations** For Alkacon OpenCMS version 10.5.3, consider disabling the gallery function until a patch is available to prevent exploitation of the XSS vulnerability. Restrict access to the gallery module to minimize the risk of exploitation. Avoid using the gallery function with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.