Alex Williams

**Name of the Vulnerable Software and Affected Versions** GFI HelpDesk versions prior to 4.99.10 **Description** A stored cross-site scripting issue exists in the Reports module. The `title` parameter is passed directly to the `SWIFT Report::Create()` function without HTML sanitization. This allows attackers to inject arbitrary JavaScript into the report title field during the creation or editing of a report. The injected payload executes when staff members view and click the affected report link within the Manage Reports interface. **Recommendations** Update to version 4.99.10 or later. As a temporary workaround, restrict access to the Reports module or avoid using the `title` parameter in the affected interface until the update is applied.

**Name of the Vulnerable Software and Affected Versions** GFI HelpDesk versions prior to 4.99.9 **Description** A stored cross-site scripting issue exists in the language management functionality. The 'charset' POST parameter is passed directly to the `SWIFT Language::Create()` function without HTML sanitization and is later rendered unsanitized by `View Language.RenderGrid()`. This allows an authenticated administrator to inject arbitrary JavaScript through the `charset` field when creating or editing a language, which then executes in the browser of any administrator viewing the Languages page. **Recommendations** Update to version 4.99.9 or later.

**Name of the Vulnerable Software and Affected Versions** GFI HelpDesk versions prior to 4.99.9 **Description** A stored cross-site scripting issue exists in the Troubleshooter module. An authenticated staff member can inject arbitrary JavaScript into the step subject field because the POST parameter 'subject' is not sanitized in the functions `Controller Step.InsertSubmit()` and `EditSubmit()` before being rendered by `View Step.RenderViewSteps()`. The payload executes when a user navigates to Troubleshooter > View Troubleshooter and clicks the affected step link. **Recommendations** Update to version 4.99.9 or later. As a temporary workaround, restrict access to the Troubleshooter module for staff members who do not require it.

**Name of the Vulnerable Software and Affected Versions** GFI HelpDesk versions prior to 4.99.9 **Description** A stored cross-site scripting issue exists in the ticket subject field. Authenticated staff members can inject malicious JavaScript by manipulating the 'editsubject' POST parameter. This occurs due to inadequate sanitization in the `Controller Ticket.EditSubmit()` function, which bypasses the incomplete `SanitizeForXSS()` method, allowing arbitrary JavaScript execution when other staff members or administrators view the affected ticket. **Recommendations** Update to version 4.99.9 or later. As a temporary workaround, restrict access to the `Controller Ticket.EditSubmit()` function or the 'editsubject' parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GFI HelpDesk versions prior to 4.99.9 **Description** A stored cross-site scripting issue exists in the template group creation and editing functionality. Authenticated administrators can inject arbitrary JavaScript by manipulating the `companyname` POST parameter, which lacks proper HTML sanitization. Malicious scripts injected through the `companyname` field execute in the browsers of any administrator who views the 'Templates > Groups' page. **Recommendations** Update to version 4.99.9 or later.

Name of the Vulnerable Software and Affected Versions Checkmk versions 2.2.0 (EOL), 2.3.0 through 2.3.0p45, 2.4.0 through 2.4.0p24, and 2.5.0 (beta) through 2.5.0b2 Description Insufficient sanitization of dashboard dashlet title links allows an attacker with dashboard creation privileges to perform stored cross-site scripting (XSS) attacks. An attacker can trick a victim into clicking a crafted dashlet title link on a shared dashboard. Recommendations Update to Checkmk version 2.3.0p46 or later. Update to Checkmk version 2.4.0p25 or later. Update to Checkmk version 2.5.0b3 or later.

Name of the Vulnerable Software and Affected Versions Endian Firewall versions 3.3.25 and prior Description Endian Firewall versions 3.3.25 and earlier are susceptible to stored cross-site scripting (XSS) through the `remark` parameter in the '/cgi-bin/dnat.cgi' endpoint. An authenticated attacker can inject arbitrary JavaScript code that is stored and subsequently executed when other users access the affected page. Recommendations Update Endian Firewall to a version later than 3.3.25.

Name of the Vulnerable Software and Affected Versions Endian Firewall versions 3.3.25 and prior Description Endian Firewall versions 3.3.25 and earlier are susceptible to stored cross-site scripting (XSS) through the `remark` parameter in the '/cgi-bin/snat.cgi' endpoint. An authenticated attacker can inject arbitrary JavaScript code, which is then stored and executed when other users access the affected page. Recommendations Update Endian Firewall to a version later than 3.3.25.

Name of the Vulnerable Software and Affected Versions Endian Firewall versions 3.3.25 and prior Description Endian Firewall versions 3.3.25 and earlier are susceptible to stored cross-site scripting (XSS) through the `remark` parameter in the '/cgi-bin/outgoingfw.cgi' endpoint. An authenticated attacker can inject arbitrary JavaScript code that is stored and executed when other users access the affected page. Recommendations Update Endian Firewall to a version later than 3.3.25.

Name of the Vulnerable Software and Affected Versions Endian Firewall versions 3.3.25 and prior Description Endian Firewall versions 3.3.25 and earlier are susceptible to stored cross-site scripting (XSS) through the `remark` parameter in the '/cgi-bin/routing.cgi' endpoint. An authenticated attacker can inject arbitrary JavaScript code that is stored and executed when other users access the affected page. Recommendations Update Endian Firewall to a version later than 3.3.25.

Name of the Vulnerable Software and Affected Versions Endian Firewall versions 3.3.25 and prior Description Endian Firewall versions 3.3.25 and earlier are susceptible to stored cross-site scripting (XSS) through the `remark` user `ham spam` parameter in the '/cgi-bin/salearn.cgi' endpoint. An authenticated attacker can inject arbitrary JavaScript code that is stored and executed when other users access the affected page. Recommendations Update Endian Firewall to a version later than 3.3.25.

Name of the Vulnerable Software and Affected Versions Endian Firewall versions 3.3.25 and prior Description Endian Firewall versions 3.3.25 and earlier are susceptible to stored cross-site scripting (XSS) through the `remark` parameter in the '/manage/dhcp/fixed leases/' endpoint. An authenticated attacker can inject arbitrary JavaScript code that is stored and executed when other users access the affected page. Recommendations Update Endian Firewall to a version later than 3.3.25.

Name of the Vulnerable Software and Affected Versions Endian Firewall versions 3.3.25 and prior Description Endian Firewall versions 3.3.25 and earlier are susceptible to stored cross-site scripting (XSS). An authenticated attacker can inject malicious JavaScript code through the `name` parameter of the '/manage/qos/classes/' endpoint. This injected code is then stored and executed when other authenticated users access the affected page. Recommendations Update Endian Firewall to a version later than 3.3.25.

Name of the Vulnerable Software and Affected Versions Endian Firewall versions 3.3.25 and prior Description Endian Firewall versions 3.3.25 and earlier are susceptible to stored cross-site scripting (XSS) through the `dscp` parameter in the '/manage/qos/rules/' API endpoint. An authenticated attacker can inject arbitrary JavaScript code that is stored and executed when other users access the affected page. Recommendations Update Endian Firewall to a version later than 3.3.25.

Name of the Vulnerable Software and Affected Versions Endian Firewall versions 3.3.25 and prior Description Endian Firewall versions 3.3.25 and earlier allow authenticated users to execute arbitrary OS commands through the `DATE` parameter in the '/cgi-bin/logs smtp.cgi' endpoint. The vulnerability arises from an incomplete regular expression validation when constructing a file path using the `DATE` parameter value, which is then passed to a Perl `open()` call, leading to command injection. Recommendations Update Endian Firewall to a version later than 3.3.25.

Name of the Vulnerable Software and Affected Versions Endian Firewall versions 3.3.25 and prior Description Endian Firewall versions 3.3.25 and earlier are susceptible to stored cross-site scripting (XSS) through the `remark` parameter in the '/manage/dnsmasq/hosts/' endpoint. An authenticated attacker can inject arbitrary JavaScript code that is stored and executed when other users access the affected page. Recommendations Update Endian Firewall to a version later than 3.3.25.

Name of the Vulnerable Software and Affected Versions Endian Firewall versions 3.3.25 and prior Description Authenticated users can execute arbitrary OS commands through the `DATE` parameter in the '/cgi-bin/logs firewall.cgi' endpoint. This is due to an incomplete regular expression validation when constructing a file path using the `DATE` parameter value, which is then passed to a Perl `open()` call, leading to command injection. Recommendations Update Endian Firewall to a version later than 3.3.25.

Name of the Vulnerable Software and Affected Versions Endian Firewall versions 3.3.25 and prior Description Endian Firewall versions 3.3.25 and earlier permit authenticated users to execute arbitrary operating system commands through the `DATE` parameter of the '/cgi-bin/logs clamav.cgi' endpoint. The `DATE` parameter's value is used in constructing a file path passed to a Perl `open()` function, enabling command injection due to insufficient regular expression validation. Recommendations Update Endian Firewall to a version later than 3.3.25.

Name of the Vulnerable Software and Affected Versions Endian Firewall versions 3.3.25 and prior Description Endian Firewall versions 3.3.25 and earlier allow authenticated users to execute arbitrary OS commands through the `DATE` parameter in the '/cgi-bin/logs openvpn.cgi' endpoint. The `DATE` parameter value is used to construct a file path passed to a Perl `open()` call, enabling command injection due to insufficient regular expression validation. Recommendations Update Endian Firewall to a version later than 3.3.25.

Name of the Vulnerable Software and Affected Versions Endian Firewall versions 3.3.25 and prior Description Endian Firewall versions 3.3.25 and earlier allow authenticated users to execute arbitrary OS commands via the `DATE` parameter to the '/cgi-bin/logs ids.cgi' API endpoint. The `DATE` parameter value is used to construct a file path that is passed to a Perl `open()` function call. This allows command injection due to an incomplete regular expression validation. Recommendations Update Endian Firewall to a version later than 3.3.25.