Ally Petitt

**Name of the Vulnerable Software and Affected Versions** Macs CMS version 1.1.4f **Description** The issue is related to a lack of protection against SQL injection attacks when handling certain parameters, including `resetPassword`, `forgotPasswordProcess`, `saveUser`, `saveRole`, `deleteUser`, `deleteRole`, `deleteComment`, `allowComment`, and `addComment`. This can allow a remote attacker to execute arbitrary code, cause a denial of service (DoS), escalate privileges, and obtain sensitive information by sending specially crafted requests to the affected endpoints, such as "/resetPassword" or "/saveUser". **Recommendations** For Macs CMS version 1.1.4f, as a temporary workaround, consider disabling the `resetPassword`, `forgotPasswordProcess`, `saveUser`, `saveRole`, `deleteUser`, `deleteRole`, `deleteComment`, `allowComment`, `addComment`, and `saveUser` functions until a patch is available. Restrict access to these endpoints to minimize the risk of exploitation. Avoid using the parameters `resetPassword`, `forgotPasswordProcess`, `saveUser`, `saveRole`, `deleteUser`, `deleteRole`, `deleteComment`, `allowComment`, `addComment`, and `saveUser` in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GNU Savane versions 3.12 and earlier **Description** An issue in GNU Savane allows a remote attacker to escalate privileges via the `form id` in the `form header()` function. **Recommendations** For GNU Savane versions 3.12 and earlier, as a temporary workaround, consider restricting access to the `form header()` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CentralSquare Click2Gov Building Permit versions prior to October 2023 **Description** An issue was discovered in CentralSquare Click2Gov Building Permit, where lack of access control protections allows remote attackers to arbitrarily delete contractors from any user's account when the `user ID` and `contractor information` are known. **Recommendations** For versions prior to October 2023, as a temporary workaround, consider restricting access to the user account management functionality until a patch is available. Avoid using the `user ID` and `contractor information` in sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Macrob7 Macs Framework Content Management System (CMS) version 1.1.4f **Description** The issue is related to a PHP type confusion vulnerability due to loose comparison in the `isValidLogin()` function during a login attempt. This vulnerability can lead to authentication bypass and takeover of the administrator account. **Recommendations** For Macrob7 Macs Framework Content Management System (CMS) version 1.1.4f, consider disabling the `isValidLogin()` function until a patch is available to prevent potential exploitation. Restrict access to the login functionality to minimize the risk of authentication bypass.