Aaron Bishop

Name of the Vulnerable Software and Affected Versions: TinyMCE versions prior to 5.6.0 Description: A stored cross-site scripting vulnerability was discovered in the URL sanitization logic of the core parser, allowing arbitrary JavaScript execution when inserting specially crafted content into the editor. This impacts all users using TinyMCE 5.5.1 or lower. An unauthenticated and remote attacker could insert crafted HTML into the editor, resulting in arbitrary JavaScript execution in another user's browser. Recommendations: To resolve the issue, upgrade to TinyMCE 5.6.0 or higher. As a temporary workaround, manually sanitize `iframe`, `object`, and `embed` URL attributes using a TinyMCE node filter. Alternatively, disable `iframe`, `object`, and `embed` elements in your content using the `invalid elements` setting.

**Name of the Vulnerable Software and Affected Versions** MITREid Connect versions 1.3.3 and earlier **Description** The issue allows for XSS due to `userInfoJson` being included in the page unsanitized, related to `header.tag`. This can be exploited to execute arbitrary JavaScript. The user's name is included in `topbar.tag` and `header.tag` without being sanitized. **Recommendations** For versions 1.3.3 and earlier, consider sanitizing the `userInfoJson` to prevent XSS attacks. As a temporary workaround, restrict the use of `header.tag` and `topbar.tag` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WiKID 2FA Enterprise Server versions through 4.2.0-b2047 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via multiple API endpoints, including "/wikid/servlet/com.wikidsystems.server.GetDomainHash" with the `H` parameter, and several other endpoints with the `S` parameter or an unspecified parameter `a`. These endpoints include "/wikid/DomainData", "/wikid/PreRegisterLookup", "/wikid/PreRegister", "/wikid/InitDevice", and several variations of "/wikid/servlet/InitDevice" and "/servlet/com.wikidsystems.server.InitDevice". The injected script or HTML is triggered when "Logs.jsp" is visited, as the `rendered message` column is retrieved and displayed unsanitized. **Recommendations** For WiKID 2FA Enterprise Server versions through 4.2.0-b2047, consider disabling access to the vulnerable API endpoints, such as "/wikid/servlet/com.wikidsystems.server.GetDomainHash", "/wikid/DomainData", "/wikid/PreRegisterLookup", "/wikid/PreRegister", "/wikid/InitDevice", and related "InitDevice" endpoints, until a patch is available. Additionally, restrict the use of the `H` and `S` parameters, as well as the unspecified parameter `a`, in these endpoints to minimize the risk of exploitation. Avoid using the `rendered message` column in "Logs.jsp" until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WiKID 2FA Enterprise Server versions through 4.2.0-b2047 **Description** A stored and reflected cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the "/WiKIDAdmin/groups.jsp" API endpoint. The `groupName` parameter is vulnerable, causing reflected cross-site scripting to occur immediately after a group is created. The malicious script is stored and will be executed again whenever the "/WiKIDAdmin/groups.jsp" endpoint is visited. **Recommendations** For WiKID 2FA Enterprise Server versions through 4.2.0-b2047, consider disabling access to the "/WiKIDAdmin/groups.jsp" endpoint until a patch is available, and restrict the use of the `groupName` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** WiKID 2FA Enterprise Server versions through 4.2.0-b2047 **Description** A stored and reflected cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the "/WiKIDAdmin/adm usrs.jsp" API endpoint. The `usr` parameter is vulnerable, with the reflected cross-site scripting occurring immediately after a user is created. The malicious script is stored and will be executed whenever the "/WiKIDAdmin/adm usrs.jsp" endpoint is visited. **Recommendations** For WiKID 2FA Enterprise Server versions through 4.2.0-b2047, consider disabling access to the "/WiKIDAdmin/adm usrs.jsp" endpoint until a fix is available, and restrict the use of the `usr` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** WiKID Enterprise 2FA Enterprise Server versions through 4.2.0-b2047 **Description** The issue allows for SQL injection through the "searchDevices.jsp" endpoint, utilizing the `uid` and `domain` parameters unsanitized in a SQL query constructed in the `buildSearchWhereClause` function. **Recommendations** For versions through 4.2.0-b2047, as a temporary workaround, consider restricting access to the "searchDevices.jsp" endpoint until a patch is available. Avoid using the `uid` and `domain` parameters in this endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BlogEngine.NET versions 3.3.7.0 and earlier **Description** The issue is related to XML External Entity Blind Injection. It is associated with the `pingback.axd` endpoint and the `BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs` file. **Recommendations** For BlogEngine.NET versions 3.3.7.0 and earlier, consider disabling the `pingback.axd` endpoint until a patch is available. Restrict access to the `BlogEngine.Core/Web/HttpHandlers/PingbackHandler.cs` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 (affected versions not specified) **Description** The issue is related to the lack of protection of the web page structure in Zyxel firewalls, allowing a remote attacker to perform a cross-site scripting attack using the `mp idx` parameter. This can lead to Reflected XSS on the Zyxel login page. **Recommendations** For Zyxel ATP200, ATP500, ATP800, USG20-VPN, USG20W-VPN, USG40, USG40W, USG60, USG60W, USG110, USG210, USG310, USG1100, USG1900, USG2200-VPN, ZyWALL 110, ZyWALL 310, ZyWALL 1100 devices, consider disabling access to the vulnerable login page until a patch is available. As a temporary workaround, avoid using the `mp idx` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.