Adam Kues

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions prior to 2024R1.1 **Description** A cross-site scripting (XSS) issue exists in Nagios XI when a user visits the "missing page" (404) page after following a link from another website. The `page-missing.php` component does not properly validate or escape user-supplied input, which allows an attacker to create a malicious link. When a victim visits this link, arbitrary JavaScript code can be executed in the victim’s browser within the Nagios XI domain. **Recommendations** Update to version 2024R1.1 or later.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.0 through 7.4.3.132 Liferay DXP versions 2025.Q1.0 through 2025.Q1.4 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q1.1 through 2024.Q1.15 Liferay Portal versions 7.4 GA through update 92 **Description** The application contains a pre-authentication blind Server-Side Request Forgery (SSRF) vulnerability in the `portal-settings-authentication-opensso-web` component. This is due to improper validation of user-supplied URLs. An attacker can exploit this issue to force the server to make arbitrary HTTP requests to internal systems, potentially leading to internal network enumeration or further exploitation. **Recommendations** Liferay Portal versions 7.4.0 through 7.4.3.132 should be updated. Liferay DXP versions 2025.Q1.0 through 2025.Q1.4 should be updated. Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 should be updated. Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 should be updated. Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 should be updated. Liferay DXP versions 2024.Q1.1 through 2024.Q1.15 should be updated. Liferay Portal versions 7.4 GA through update 92 should be updated.

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.0 through 7.4.3.133 Liferay DXP versions 2025.Q1.0 through 2025.Q1.4 Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 Liferay DXP versions 2024.Q1.1 through 2024.Q1.15 Liferay Portal 7.4 GA through update 92 **Description** A reflected cross-site scripting (XSS) vulnerability exists that allows a remote, non-authenticated attacker to inject JavaScript. The vulnerability is located in the `modules/apps/blogs/blogs-web/src/main/resources/META-INF/resources/blogs/entry cover image caption.jsp` file. **Recommendations** Liferay Portal versions 7.4.0 through 7.4.3.133 should be updated. Liferay DXP versions 2025.Q1.0 through 2025.Q1.4 should be updated. Liferay DXP versions 2024.Q4.0 through 2024.Q4.7 should be updated. Liferay DXP versions 2024.Q3.1 through 2024.Q3.13 should be updated. Liferay DXP versions 2024.Q2.0 through 2024.Q2.13 should be updated. Liferay DXP versions 2024.Q1.1 through 2024.Q1.15 should be updated. Liferay Portal 7.4 GA through update 92 should be updated.

**Name of the Vulnerable Software and Affected Versions** Adobe Experience Manager versions 6.5.23 and earlier **Description** Adobe Experience Manager versions 6.5.23 and earlier are affected by a misconfiguration vulnerability that could result in arbitrary code execution. An attacker could leverage this vulnerability to bypass security mechanisms and execute code without user interaction. Exploitation of this issue changes the scope of access. This vulnerability is actively being exploited and a public proof-of-concept is available. The vulnerability is related to a misconfigured servlet that evaluates unvalidated OGNL expressions, potentially enabling attackers to execute arbitrary commands. The vulnerability is present when the Struts development mode is enabled. **Recommendations** Update Adobe Experience Manager to version 6.5.0-0108 or later. Disable the development mode (`devMode`) immediately.

Name of the Vulnerable Software and Affected Versions: Apache Jackrabbit versions prior to 2.23.2 Description: The software contains Blind XXE vulnerabilities in jackrabbit-spi-commons and jackrabbit-core due to the use of an unsecured document build to load privileges. Recommendations: Upgrade to version 2.20.17 (Java 8). Upgrade to version 2.22.1 (Java 11). Upgrade to version 2.23.2 (Java 11, beta versions).

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 7.4.0 through 7.4.3.131 Liferay DXP versions 2024.Q1.1 through 2024.Q4.5 **Description** A reflected cross-site scripting (XSS) issue exists in Liferay Portal and DXP. A remote, unauthenticated attacker can inject JavaScript code into the `/modules/apps/marketplace/marketplace-app-manager-web` component. The attacker can exploit this by crafting a malicious URL containing the injected script. When a user clicks on this link, the browser executes the script, potentially allowing the attacker to gain access to the user's session and data. The exploit involves sending a crafted request to the `/o/marketplace-app-manager-web/icon.jsp` endpoint with a malicious `iconURL` parameter. The vulnerable parameter is `iconURL`. **Recommendations** Liferay Portal versions 7.4.0 through 7.4.3.131: Update to a newer version. Liferay DXP versions 2024.Q1.1 through 2024.Q4.5: Update to a newer version.

**Name of the Vulnerable Software and Affected Versions** Sawtooth Lighthouse Studio versions prior to 9.16.14 **Description** A template injection vulnerability exists in the Perl web application `ciwweb.pl` within Sawtooth Lighthouse Studio, allowing unauthenticated attackers to execute arbitrary commands. Approximately 480 services are potentially affected worldwide. **Recommendations** Update Sawtooth Lighthouse Studio to version 9.16.14 or later.

**Name of the Vulnerable Software and Affected Versions** Palo Alto Networks PAN-OS (affected versions not specified) **Description** An authentication bypass in the management web interface allows an unauthenticated attacker with network access to bypass required authentication and invoke specific PHP scripts. This issue stems from path confusion between Nginx and Apache. While it does not enable remote code execution, it can negatively impact the integrity and confidentiality of the system, allowing attackers to extract sensitive system data, recover firewall configurations, or manipulate certain settings. Approximately 4,400 devices have been identified as exposing their management interface to the internet, and active exploitation has been observed since February 13. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability. Restrict access to the management web interface to only trusted internal IP addresses.

**Name of the Vulnerable Software and Affected Versions** ServiceNow versions prior to the June 2024 patching cycle **Description** The issue is related to an input validation vulnerability that could enable an unauthenticated user to remotely execute code within the context of the Now Platform. This vulnerability was identified in the Washington DC, Vancouver, and earlier Now Platform releases. **Recommendations** Apply security patches relevant to your instance as soon as possible, specifically those released during the June 2024 patching cycle.

**Name of the Vulnerable Software and Affected Versions** ServiceNow versions prior to the June 2024 patching cycle **Description** A sensitive file read issue was identified in the Washington DC, Vancouver, and Utah Now Platform releases. This could allow an administrative user to gain unauthorized access to sensitive files on the web application server. **Recommendations** Apply security patches relevant to your instance as soon as possible.

**Name of the Vulnerable Software and Affected Versions** ServiceNow versions prior to the updated versions that include the security patches for the Vancouver and Washington DC Now Platform releases **Description** The issue is related to an improper input validation vulnerability that could enable an unauthenticated user to remotely execute code within the context of the Now Platform. This vulnerability was identified in the Vancouver and Washington DC Now Platform releases. ServiceNow has applied an update to hosted instances and released the update to partners and self-hosted customers. **Recommendations** Apply the security patches relevant to your instance as soon as possible to address the vulnerability. If you have not done so already, update your instance with the latest patches and hot fixes provided by ServiceNow to prevent remote code execution by unauthenticated users.

**Name of the Vulnerable Software and Affected Versions** Next.js versions prior to 14.1.1 **Description** A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions. If the `Host` header is modified, and certain conditions are met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required conditions are 1) Next.js is running in a self-hosted manner; 2) the Next.js application makes use of Server Actions; and 3) the Server Action performs a redirect to a relative path which starts with a `/`. It is estimated that over 3.1 million services are potentially affected. **Recommendations** For Next.js versions prior to 14.1.1, upgrade to Next.js version 14.1.1 to resolve the issue. As a temporary workaround, consider restricting access to Server Actions or disabling the use of relative paths starting with `/` in Server Actions until a patch is applied. Additionally, be cautious when modifying the `Host` header to prevent potential SSRF attacks.

**Name of the Vulnerable Software and Affected Versions** Flarum versions prior to 1.8.0 **Description** The issue allows an attacker to conduct a Blind Server-Side Request Forgery (SSRF) attack or disclose any file on the server, even with a basic user account on any Flarum forum. This is due to the behavior of the `intervention/image` package, which attempts to interpret the supplied file contents as a URL, which then fetches its contents. An attacker can exploit this by uploading a file containing a URL and spoofing the MIME type, manipulating the application to execute unintended actions. This enables the attacker to perform SSRF attacks, disclose local file contents, or conduct a blind oracle attack. **Recommendations** For versions prior to 1.8.0, upgrade to version 1.8.0 to resolve the issue. As a temporary workaround for the SSRF aspect of the vulnerability, consider disabling PHP's `allow url fopen`, which will prevent the fetching of external files via URLs.

**Name of the Vulnerable Software and Affected Versions** Percona Monitoring and Management (PMM) server versions 2.x through 2.37.0 **Description** The issue arises from the authenticate function in auth server.go not properly formalizing and sanitizing URL paths, which fails to reject path traversal attempts. This allows an unauthenticated remote user to access protected API routes by making a crafted POST request against unauthenticated API routes, leading to escalation of privileges and information disclosure. **Recommendations** For Percona Monitoring and Management (PMM) server versions 2.x through 2.37.0, update to version 2.37.1 or later to resolve the issue. As a temporary workaround, consider restricting access to unauthenticated API routes to minimize the risk of exploitation.