Taihei Shimamine

**Nome do Software Vulnerável e Versões Afetadas** Versões do Splunk Enterprise anteriores à 9.4.1 Versões do Splunk Enterprise anteriores à 9.3.3 Versões do Splunk Enterprise anteriores à 9.2.5 Versões do Splunk Enterprise anteriores à 9.1.8 Versões do Splunk Cloud Platform anteriores à 9.3.2408.107 Versões do Splunk Cloud Platform anteriores à 9.2.2406.112 Versões do Splunk Cloud Platform anteriores à 9.2.2403.115 Versões do Splunk Cloud Platform anteriores à 9.1.2312.208 Versões do Splunk Cloud Platform anteriores à 9.1.2308.214 **Descrição** Um usuário com baixos privilégios sem as funções "admin" ou "power" do Splunk poderia contornar a caixa de diálogo modal de aviso de conteúdo externo em dashboards do Dashboard Studio, potencialmente levando à divulgação de informações. **Recomendações** Para versões do Splunk Enterprise anteriores à 9.4.1, atualize para a versão 9.4.1 ou posterior. Para versões do Splunk Enterprise anteriores à 9.3.3, atualize para a versão 9.3.3 ou posterior. Para versões do Splunk Enterprise anteriores à 9.2.5, atualize para a versão 9.2.5 ou posterior. Para versões do Splunk Enterprise anteriores à 9.1.8, atualize para a versão 9.1.8 ou posterior. Para versões do Splunk Cloud Platform anteriores à 9.3.2408.107, atualize para a versão 9.3.2408.107 ou posterior. Para versões do Splunk Cloud Platform anteriores à 9.2.2406.112, atualize para a versão 9.2.2406.112 ou posterior. Para versões do Splunk Cloud Platform anteriores à 9.2.2403.115, atualize para a versão 9.2.2403.115 ou posterior. Para versões do Splunk Cloud Platform anteriores à 9.1.2312.208, atualize para a versão 9.1.2312.208 ou posterior. Para versões do Splunk Cloud Platform anteriores à 9.1.2308.214, atualize para a versão 9.1.2308.214 ou posterior.

**Nome do software vulnerável e versões afetadas** Versões do Splunk Config Explorer anteriores à 1.7.16 **Descrição** A vulnerabilidade existe devido à proteção inadequada da estrutura da página da web no Splunk Config Explorer, permitindo um ataque de script entre sites (XSS). Se explorada, isso poderia levar à execução de um script arbitrário no navegador do usuário. **Recomendações** Para versões anteriores à 1.7.16, atualize para a versão 1.7.16 ou posterior para resolver o problema. Como solução temporária, considere restringir o acesso à interface web do Splunk Config Explorer até que a atualização seja aplicada.

**Nome do software vulnerável e versões afetadas** SonicDICOM Media Viewer versões 2.3.2 e anteriores **Descrição** Existe uma falha relacionada a um elemento de caminho de pesquisa não controlado, o que pode levar ao carregamento inseguro de bibliotecas de ligação dinâmica (DLLs). Como resultado, código arbitrário pode ser executado com os privilégios do aplicativo em execução. **Recomendações** Para as versões 2.3.2 e anteriores do SonicDICOM Media Viewer, considere desativar o carregamento de bibliotecas de ligação dinâmica até que uma correção esteja disponível. Restrinja o acesso a áreas sensíveis do aplicativo para minimizar o risco de exploração. No momento, não há informações sobre uma versão mais recente que contenha uma correção para esta vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** Rename Media Files versions n/a through 1.0.1 **Description** The issue is related to an Improper Control of Generation of Code ('Code Injection') vulnerability. This vulnerability affects the Rename Media Files software. **Recommendations** For versions n/a through 1.0.1, update to a version later than 1.0.1 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Criss Swaim TPG Redirect plugin versions 1.0.7 and earlier **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions 1.0.7 and earlier, update to a version later than 1.0.7 to resolve the issue. As a temporary workaround, consider implementing CSRF token validation to prevent unauthorized requests. Restrict access to sensitive functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TotalPress.Org Custom post types, Custom Fields & more plugin versions 4.0.12 and earlier **Description** The issue is related to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. This means that an attacker with admin+ privileges can inject malicious scripts into the application, which can then be executed by other users. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions 4.0.12 and earlier, update to a version later than 4.0.12 to resolve the issue. As a temporary workaround, consider restricting access to the Custom post types, Custom Fields & more plugin to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Supsystic Contact Form by Supsystic plugin versions <= 1.7.27 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions <= 1.7.27, update to a version higher than 1.7.27 to resolve the issue. As a temporary workaround, consider restricting access to sensitive functions of the Supsystic Contact Form plugin until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Arul Prasad J Publish Confirm Message plugin versions prior to 1.3.1 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions prior to 1.3.1, update to version 1.3.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** hwk-fr WP 404 Auto Redirect to Similar Post plugin versions 1.0.3 and earlier **Description** The issue is related to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. This means that an attacker with admin access can inject malicious scripts into the website, potentially affecting users who visit the site. **Recommendations** For versions 1.0.3 and earlier, update to a version later than 1.0.3 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Supersoju Block Referer Spam plugin versions 1.1.9.4 and earlier **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin+ privileges. This vulnerability affects the Supersoju Block Referer Spam plugin. **Recommendations** For Supersoju Block Referer Spam plugin versions 1.1.9.4 and earlier, update to a version later than 1.1.9.4 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bill Minozzi Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin versions prior to 7.32 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that affects the Bill Minozzi Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin. This vulnerability requires authentication with admin+ privileges. **Recommendations** For versions prior to 7.32, update to version 7.32 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Easy Form team Easy Form by AYS plugin versions 1.2.0 and earlier **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin+ privileges. **Recommendations** For versions 1.2.0 and earlier, update to a version later than 1.2.0 to resolve the issue. At the moment, there is no information about other specific mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Matt Gibbs Custom Field Suite plugin versions <= 2.6.2.1 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin+ privileges. **Recommendations** For Matt Gibbs Custom Field Suite plugin versions <= 2.6.2.1, update to a version higher than 2.6.2.1 to resolve the issue.