Sven Vetsch

**Nome do software vulnerável e versões afetadas** Versões do AlCoda NetBiblio WebOPAC anteriores à 4.0.0.320 Versões do AlCoda NetBiblio WebOPAC posteriores à 4.0.0.328 **Descrição** Existe uma vulnerabilidade de Cross-site Scripting (XSS) na funcionalidade de pesquisa do AlCoda NetBiblio WebOPAC, permitindo que um usuário não autenticado crie um ataque de Cross-site Scripting refletido. **Recomendações** Para versões do AlCoda NetBiblio WebOPAC anteriores à 4.0.0.320, atualize para a versão 4.0.0.335 ou posterior. Para versões do AlCoda NetBiblio WebOPAC posteriores à 4.0.0.328, atualize para a versão 4.0.0.335 ou posterior. Como solução alternativa temporária, considere restringir o acesso à funcionalidade de pesquisa até que um patch esteja disponível.

**Name of the Vulnerable Software and Affected Versions** Mahara versions prior to 1.0.13 Mahara versions 1.1.x prior to 1.1.7 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. **Recommendations** For Mahara versions prior to 1.0.13, update to version 1.0.13 or later. For Mahara versions 1.1.x prior to 1.1.7, update to version 1.1.7 or later.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions prior to 3.2.0.1 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a crafted SQL bookmark. **Recommendations** For versions prior to 3.2.0.1, update to version 3.2.0.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 2.8.0.2 through 2.8.0.3 phpMyAdmin version 2.8.1-dev phpMyAdmin version 2.9.0-dev **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `lang` parameter in the index.php file. **Recommendations** For phpMyAdmin versions 2.8.0.2 through 2.8.0.3, consider restricting access to the index.php file until a fix is available. For phpMyAdmin version 2.8.1-dev, avoid using the `lang` parameter in the index.php file until the issue is resolved. For phpMyAdmin version 2.9.0-dev, restrict access to the vulnerable index.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** e107 version 0.6174 **Description** The issue allows remote attackers to redirect users to other web sites via the `download` parameter in "rate.php". This occurs after a user submits a file download rating. By default, the `e BASE` variable restricts the redirection to the same web site. **Recommendations** For e107 version 0.6174, consider restricting access to the "rate.php" file or validating the `download` parameter to prevent unauthorized redirects. As a temporary workaround, restrict the `e BASE` variable to limit redirections to the same web site.

**Name of the Vulnerable Software and Affected Versions** Microsoft Internet Explorer version 6.0 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via HTML in corrupted image and audio files, such as .GIF, JPG, and WAV. These files are rendered as HTML when the user clicks on the link, despite the web server response and file extension indicating that they should be treated as a different file type. **Recommendations** For Microsoft Internet Explorer version 6.0, consider disabling the rendering of HTML in files with non-HTML extensions as a temporary workaround until a patch is available. Restrict access to potentially corrupted files to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpBB version 2.0.17 **Description** The issue arises from an interpretation conflict when remote avatars and avatar uploading are enabled, allowing remote authenticated users to inject arbitrary web script or HTML via an HTML file with a GIF or JPEG file extension. This can lead to cross-site scripting (XSS) attacks when a victim views the file in Internet Explorer, which renders malformed image types as HTML. **Recommendations** For phpBB version 2.0.17, consider disabling remote avatar and avatar uploading features until a proper fix is applied to prevent the injection of arbitrary web script or HTML. As a temporary workaround, restrict access to avatar uploading to minimize the risk of exploitation.