Aleksey Solovev

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5 **Description** The PDO Firebird driver improperly handles NUL bytes during the preparation of SQL queries. When constructing queries token-by-token, a string token containing a NUL byte is processed using the `strncat()` function, which terminates at the NUL byte. This action drops the closing quote, causing subsequent SQL tokens to be interpreted as part of the string. This behavior enables SQL injection when attacker-controlled values are quoted using the `PDO::quote()` function and embedded in SQL statements. **Recommendations** Update PHP version 8.2.x to 8.2.31 Update PHP version 8.3.x to 8.3.31 Update PHP version 8.4.x to 8.4.21 Update PHP version 8.5.x to 8.5.6

**Name of the Vulnerable Software and Affected Versions** PHP versions 8.2.0 through 8.2.30 PHP versions 8.3.0 through 8.3.30 PHP versions 8.4.0 through 8.4.20 PHP versions 8.5.0 through 8.5.5 **Description** The `metaphone()` function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. When a string exceeding 2,147,483,647 bytes is processed, a signed integer overflow occurs. This leads to undefined behavior, specifically an out-of-bounds read, which can cause a segmentation fault or access to unrelated memory, potentially impacting the availability of the PHP process. **Recommendations** Update PHP version 8.2.x to 8.2.31 Update PHP version 8.3.x to 8.3.31 Update PHP version 8.4.x to 8.4.21 Update PHP version 8.5.x to 8.5.6 As a temporary workaround, restrict the length of input strings passed to the `metaphone()` function to be less than 2,147,483,647 bytes.

**Name of the Vulnerable Software and Affected Versions** Moodle (affected versions not specified) **Description** A denial-of-service issue exists in Moodle’s TeX formula editor. Insufficient execution time limits when rendering TeX content using mimetex could allow specially crafted formulas to consume excessive server resources. An authenticated user could exploit this to degrade performance or cause service interruption. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions prior to 5.11.3 **Description** Nagios XI is susceptible to a cross-site scripting (XSS) issue through the Bandwidth Report component. A lack of proper input validation or escaping could allow an attacker to inject and execute arbitrary script within a user's browser. **Recommendations** Update to version 5.11.3 or later.

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions prior to 5.11.3 **Description** The software is susceptible to cross-site scripting (XSS) through the Graph Explorer component. Insufficient validation or escaping of user-supplied input could allow an attacker to inject and execute arbitrary script within a victim’s browser. **Recommendations** Update to version 5.11.3 or later.

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions prior to 5.11.3 **Description** Nagios XI is susceptible to cross-site scripting (XSS) through the Bulk Modifications tool. The issue stems from inadequate validation or escaping of user-provided input, potentially enabling an attacker to inject and execute arbitrary script within a victim’s browser. **Recommendations** Update to Nagios XI version 5.11.3 or later.

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions prior to 5.11.3 **Description** The software is susceptible to cross-site scripting (XSS) and cross-site request forgery (CSRF) through the Hypermap Replay component. An attacker can submit crafted input that is not properly validated or escaped, leading to the injection of malicious script that executes within a victim’s browser (XSS). The component also lacks sufficient anti-CSRF protections on operations that change system state, potentially allowing an attacker to make authenticated users perform unintended actions. **Recommendations** Update to version 5.11.3 or later.

Name of the Vulnerable Software and Affected Versions: jsPDF versions prior to 3.0.2 Description: jsPDF is a JavaScript library used to generate PDFs. Prior to version 3.0.2, user control over the first argument of the `addImage` method can lead to high CPU utilization and denial of service. Providing unsanitized image data or URLs to the `addImage` method allows a user to supply a malicious PNG file, resulting in excessive CPU usage and a denial-of-service condition. Recommendations: Update to jsPDF version 3.0.2 or later.

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 9.4-rc-1 through 16.10.5 and 17.0.0-rc-1 through 17.2.2 Description XWiki Platform, a generic wiki platform, has a SQL injection issue in the `getdeleteddocuments.vm` template. The vulnerability occurs due to a failure to sanitize the `sort` parameter, allowing an attacker to inject SQL code as an ORDER BY value. Approximately 6,900 instances of XWiki Platform are publicly accessible annually. Recommendations Update to version 16.10.6 or 17.3.0-rc-1.

**Name of the Vulnerable Software and Affected Versions:** PhpOffice/PhpSpreadsheet versions prior to 1.30.0 PhpOffice/PhpSpreadsheet versions prior to 2.1.12 PhpOffice/PhpSpreadsheet versions prior to 2.4.0 PhpOffice/PhpSpreadsheet versions prior to 3.10.0 PhpOffice/PhpSpreadsheet versions prior to 5.0.0 **Description:** PhpOffice/PhpSpreadsheet is a PHP library used for reading and writing spreadsheet files. A Server-Side Request Forgery (SSRF) can occur when processing HTML documents, potentially allowing an attacker to make requests on behalf of the server. The vulnerability resides in the `setPath` method of the `PhpOfficePhpSpreadsheetWorksheetDrawing` class, where a user-supplied string is passed to the HTML reader. Additionally, there is a potential for unsafe deserialization via `phar` archives and the `file exists` method. **Recommendations:** Update PhpOffice/PhpSpreadsheet to version 1.30.0 or later. Update PhpOffice/PhpSpreadsheet to version 2.1.12 or later. Update PhpOffice/PhpSpreadsheet to version 2.4.0 or later. Update PhpOffice/PhpSpreadsheet to version 3.10.0 or later. Update PhpOffice/PhpSpreadsheet to version 5.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** PHP versions prior to 8.4.16-1~deb13u1 PHP versions 7.4 PHP versions 8.2 **Description** Several security issues were identified in PHP, a scripting language, potentially leading to denial of service or memory disclosure. **Recommendations** Upgrade php8.4 packages to version 8.4.16-1~deb13u1. Upgrade php7.4 packages to a newer version. Upgrade php8.2 packages to a newer version.

**Name of the Vulnerable Software and Affected Versions** PhpSpreadsheet versions prior to 3.7.0 PhpSpreadsheet versions prior to 2.3.5 PhpSpreadsheet versions prior to 2.1.6 PhpSpreadsheet versions prior to 1.29.7 **Description** The issue is related to a cross-site scripting (XSS) vulnerability in custom properties. The HTML page is generated without clearing custom properties, which can allow an attacker to execute arbitrary JavaScript code in the browser. The vulnerable component is the `PhpOfficePhpSpreadsheetWriterHtml` class, specifically the `generateMeta` method. An attacker can embed a payload in a file property that will result in the execution of arbitrary JavaScript code when the Excel file is converted to an HTML representation. **Recommendations** For versions prior to 3.7.0, update to version 3.7.0 or later. For versions prior to 2.3.5, update to version 2.3.5 or later. For versions prior to 2.1.6, update to version 2.1.6 or later. For versions prior to 1.29.7, update to version 1.29.7 or later. As a temporary workaround, consider additional sanitization of special characters in strings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PhpSpreadsheet versions prior to 3.7.0 PhpSpreadsheet versions prior to 2.3.5 PhpSpreadsheet versions prior to 2.1.6 PhpSpreadsheet versions prior to 1.29.7 **Description** The issue is related to unauthorized reflected cross-site scripting in the `Accounting.php` file. Using the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` script, an attacker can perform a cross-site scripting attack. The vulnerability allows an attacker to execute arbitrary JavaScript code in the browser. The vulnerable component is the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` file, and the exploitation conditions involve an unauthorized user. **Recommendations** Update to version 3.7.0 or later to fix the issue. Update to version 2.3.5 or later to fix the issue. Update to version 2.1.6 or later to fix the issue. Update to version 1.29.7 or later to fix the issue. As a temporary workaround, consider sanitizing the `currency` variable in the `Accounting.php` file to prevent cross-site scripting attacks. Restrict access to the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Accounting.php` script to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PhpSpreadsheet versions prior to 3.7.0 PhpSpreadsheet versions prior to 2.3.5 PhpSpreadsheet versions prior to 2.1.6 PhpSpreadsheet versions prior to 1.29.7 **Description** The issue is related to unauthorized reflected cross-site scripting in the constructor of the `Downloader` class. An attacker can perform a cross-site scripting attack using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script. The vulnerability allows for the execution of arbitrary JavaScript code in the browser. The `name` and `type` variables are not properly sanitized, which can lead to exploitation. **Recommendations** For versions prior to 3.7.0, update to version 3.7.0 or later. For versions prior to 2.3.5, update to version 2.3.5 or later. For versions prior to 2.1.6, update to version 2.1.6 or later. For versions prior to 1.29.7, update to version 1.29.7 or later. As a temporary workaround, consider sanitizing the `name` and `type` variables in the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** PhpSpreadsheet versions prior to 3.7.0 PhpSpreadsheet versions prior to 2.3.5 PhpSpreadsheet versions prior to 2.1.6 PhpSpreadsheet versions prior to 1.29.7 **Description** The issue is related to a cross-site scripting (XSS) vulnerability of the hyperlink base in the HTML page header. The HTML page is formed without sanitizing the hyperlink base, which can allow an attacker to conduct cross-site scripting attacks. This can result in the execution of arbitrary JavaScript code in the browser. The vulnerable component is the class `PhpOfficePhpSpreadsheetWriterHtml`, specifically the method `generateHTMLHeader`. An attacker can embed a payload in a file property that will result in the execution of arbitrary JavaScript code when a user views a specially generated Excel file. **Recommendations** To resolve the issue for versions prior to 3.7.0, update to version 3.7.0 or later. To resolve the issue for versions prior to 2.3.5, update to version 2.3.5 or later. To resolve the issue for versions prior to 2.1.6, update to version 2.1.6 or later. To resolve the issue for versions prior to 1.29.7, update to version 1.29.7 or later. As a temporary workaround, consider adding additional sanitization of special characters in the string used to form the HTML page header.

**Name of the Vulnerable Software and Affected Versions** PhpSpreadsheet versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 **Description** The issue is related to the lack of sanitization in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file, which can lead to a cross-site scripting attack. An attacker can exploit this by sending a specially crafted request to the vulnerable scenario, allowing them to execute arbitrary JavaScript code in the client's browser. The `quantity` variable is displayed without sanitization, making it possible for an attacker to prepare a special HTML form that will be automatically sent to the vulnerable scenario. **Recommendations** For versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7, update to the patched version 3.7.0, 2.3.5, 2.1.6, or 1.29.7 to resolve the issue. As a temporary workaround, consider sanitizing the `quantity` variable in the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file to prevent cross-site scripting attacks.

**Name of the Vulnerable Software and Affected Versions** PhpSpreadsheet versions prior to 3.7.0 PhpSpreadsheet versions prior to 2.3.5 PhpSpreadsheet versions prior to 2.1.6 PhpSpreadsheet versions prior to 1.29.7 **Description** The issue is related to unauthorized reflected cross-site scripting in the `Currency.php` file. Using the "/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php" script, an attacker can perform a cross-site scripting attack. The vulnerability allows an attacker to execute arbitrary JavaScript code in the browser. The vulnerable component is the "/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php" file, and the exploitation condition is an unauthorized user. The researcher discovered a zero-day vulnerability, Unauthorized Reflected Cross-Site Scripting (XSS), in the `Currency.php` file. **Recommendations** Update to version 3.7.0 or later to secure your spreadsheets from attacks. Update to version 2.3.5 or later to secure your spreadsheets from attacks. Update to version 2.1.6 or later to secure your spreadsheets from attacks. Update to version 1.29.7 or later to secure your spreadsheets from attacks. As a temporary workaround, consider sanitizing the `currency` variable to prevent exploitation. Restrict access to the `/vendor/phpoffice/phpspreadsheet/samples/Wizards/NumberFormat/Currency.php` script to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PhpSpreadsheet versions prior to 3.7.0 PhpSpreadsheet versions prior to 2.3.5 PhpSpreadsheet versions prior to 2.1.6 PhpSpreadsheet versions prior to 1.29.7 **Description** The issue is related to the bypass of the cross-site scripting sanitizer using the javascript protocol and special characters. An attacker can use special characters so that the library processes the javascript protocol with special characters and generates an HTML link, allowing for the execution of arbitrary JavaScript code in the browser. The vulnerable component is the `PhpOfficePhpSpreadsheetWriterHtml` class, specifically the `generateRow` method. Exploitation conditions include a user viewing a specially generated Excel file. **Recommendations** For versions prior to 3.7.0, update to version 3.7.0 or later. For versions prior to 2.3.5, update to version 2.3.5 or later. For versions prior to 2.1.6, update to version 2.1.6 or later. For versions prior to 1.29.7, update to version 1.29.7 or later. As a temporary workaround, consider additional sanitization of special characters in strings to prevent exploitation.

Name of the Vulnerable Software and Affected Versions: SimpleXLSX versions 1.0.12 through 1.1.13 Description: The issue is related to the execution of arbitrary JavaScript code when calling the extended `toHTMLEx` method in SimpleXLSX. This can allow a remote attacker to execute arbitrary JavaScript code. The vulnerability is associated with the lack of protection measures for the web page structure. Recommendations: For SimpleXLSX versions 1.0.12 through 1.1.12, update to version 1.1.13 to resolve the issue. As a temporary workaround, consider avoiding the use of the `toHTMLEx` method until the issue is resolved. Do not use data publication via `toHTMLEx` until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SimpleXLSX versions 1.0.12 through 1.1.12 **Description** The issue allows for the execution of arbitrary JavaScript code when calling the extended `toHTMLEx` method. This can be exploited in versions prior to 1.1.12. The estimated number of potentially affected devices is not provided. There is no information about real-world incidents where this issue was exploited. The technical details of the exploitation include the `toHTMLEx` method, which can execute arbitrary JavaScript code. **Recommendations** For versions 1.0.12 through 1.1.12, update to version 1.1.12 to resolve the issue. As a temporary workaround, consider not using direct publication via the `toHTMLEx` method until the issue is resolved.