Ahrixia

Name of the Vulnerable Software and Affected Versions: PHPJabbers Cinema Booking System version 2.0 Description: The issue concerns reflected cross-site scripting (XSS), where multiple endpoints improperly handle user input. This allows malicious scripts to execute in a victim's browser. Attackers can craft malicious links to steal session cookies or conduct phishing attacks. Recommendations: For PHPJabbers Cinema Booking System version 2.0, consider disabling endpoints that improperly handle user input as a temporary workaround until a patch is available. Restrict access to sensitive user data to minimize the risk of exploitation. Avoid using user-input handling functions in affected endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: PHPJabbers Cinema Booking System version 2.0 Description: A stored cross-site scripting (XSS) issue exists due to unsanitized input in file upload fields (`event img`, `seat maps`) and seat number configurations (`number[new X]` in `pjActionCreate`). This allows attackers to inject persistent JavaScript, leading to phishing, malware injection, and session hijacking. Recommendations: For PHPJabbers Cinema Booking System version 2.0, consider disabling the file upload fields (`event img`, `seat maps`) and restricting access to the seat number configurations (`number[new X]` in `pjActionCreate`) until a patch is available. Avoid using the `number[new X]` parameter in the `pjActionCreate` function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: PHPJabbers Cinema Booking System version 2.0 Description: An SQL injection vulnerability in the `pjActionGetUser` function allows attackers to manipulate database queries via the `column` parameter. This can lead to unauthorized information disclosure, privilege escalation, or database manipulation. Recommendations: To resolve the issue, update PHPJabbers Cinema Booking System to a version that fixes the SQL injection vulnerability in the `pjActionGetUser` function. As a temporary workaround, consider restricting access to the `pjActionGetUser` function to minimize the risk of exploitation. Additionally, avoid using the `column` parameter in the affected function until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: PHPJabbers Cinema Booking System version 2.0 Description: A cross-site request forgery (CSRF) vulnerability in the `pjActionUpdate` function allows remote attackers to escalate privileges by tricking an authenticated admin into submitting an unauthorized request. Recommendations: For PHPJabbers Cinema Booking System version 2.0, consider disabling the `pjActionUpdate` function until a patch is available to prevent exploitation. Restrict access to this function to minimize the risk of privilege escalation. Avoid using this function in scenarios where an authenticated admin may be tricked into submitting unauthorized requests. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenKM version 7.1.40 **Description** A Stored Cross-Site Scripting (XSS) issue exists that allows an authenticated user to upload a note on a file, which acts as a stored XSS payload. Any user who opens the note of a document file will trigger the XSS. The vulnerability is related to the lack of protection of the web page structure when processing the `text` parameter, which can allow a remote attacker to conduct cross-site scripting attacks by uploading specially crafted malicious files. **Recommendations** For OpenKM version 7.1.40, consider disabling the note upload feature until a patch is available to prevent exploitation of the stored XSS vulnerability. Restrict access to the note feature in the document file to minimize the risk of triggering the XSS payload. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mooSocial version 3.1.8 **Description** The issue allows a remote attacker to obtain sensitive information via a crafted script to the `q` parameter in the Search function. This is a Cross Site Scripting vulnerability. **Recommendations** For mooSocial version 3.1.8, consider restricting access to the Search function until a patch is available. As a temporary workaround, avoid using the `q` parameter in the Search function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mooSocial version 3.1.8 **Description** The issue allows a remote attacker to execute arbitrary code via a crafted payload to the `mode` parameter of the invite friend login function. This is a Cross Site Scripting (XSS) issue. **Recommendations** For mooSocial version 3.1.8, consider disabling the invite friend login function until a patch is available to prevent exploitation. Restrict access to the `mode` parameter to minimize the risk of arbitrary code execution.

**Name of the Vulnerable Software and Affected Versions** MooSocial version 3.1.8 **Description** A Cross Site Request Forgery (CSRF) issue allows a remote attacker to execute arbitrary code and obtain sensitive information via the admin Password Change Function. This can be exploited to gain unauthorized access to sensitive data. **Recommendations** For MooSocial version 3.1.8, update to a version that includes a fix for this issue, as using the admin Password Change Function may allow remote attackers to execute arbitrary code. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mooSocial version 3.1.8 **Description** The issue allows a remote attacker to execute arbitrary code via a crafted payload to the `admin redirect url` parameter of the user login function. This is a Cross Site Scripting (XSS) issue. **Recommendations** For mooSocial version 3.1.8, consider restricting access to the `admin redirect url` parameter in the user login function until a patch is available. As a temporary workaround, avoid using the `admin redirect url` parameter in the affected login functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** mooSocial version 3.1.8 **Description** The issue concerns external service interaction on the post function. When executed, the server sends HTTP and DNS requests to an external server. The parameters affected are multiple, including `messageText`, `data[wall photo]`, `data[userShareVideo]`, and `data[userShareLink]`. **Recommendations** For mooSocial version 3.1.8, consider disabling the post function until a patch is available to prevent external service interaction. Restrict access to the parameters `messageText`, `data[wall photo]`, `data[userShareVideo]`, and `data[userShareLink]` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** mooSocial version 3.1.8 **Description** A reflected cross-site scripting (XSS) vulnerability exists in multiple URLs of the software, allowing attackers to steal user's session cookies and impersonate their account via a crafted URL. The vulnerability is also present in the change email function. **Recommendations** For mooSocial version 3.1.8, consider disabling the change email function until a patch is available. Restrict access to sensitive areas of the application to minimize the risk of exploitation. Avoid using crafted URLs that may trigger the XSS vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** mooSocial version 3.1.8 **Description** A reflected cross-site scripting (XSS) vulnerability in the `data[redirect url]` parameter allows attackers to steal user's session cookies and impersonate their account via a crafted URL. **Recommendations** For mooSocial version 3.1.8, avoid using the `data[redirect url]` parameter in affected API endpoints until the issue is resolved. As a temporary workaround, consider restricting access to sensitive user data to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Webkil QloApps version 1.5.2 **Description** A Cross Site Scripting issue allows a remote attacker to obtain sensitive information via the `back` and `email create` parameters in the AuthController.php file. **Recommendations** For Webkil QloApps version 1.5.2, consider disabling the `back` and `email create` parameters in the AuthController.php file as a temporary workaround until a patch is available. Restrict access to the AuthController.php file to minimize the risk of exploitation. Avoid using the `back` and `email create` parameters until the issue is resolved.