Andrea Baesso

**Name of the Vulnerable Software and Affected Versions** Mida eFramework versions prior to 2.9.1 **Description** Multiple Stored Cross Site Scripting (XSS) issues were found. **Recommendations** For versions prior to 2.9.1, update to version 2.9.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mida eFramework versions prior to 2.9.1 **Description** A Reflected Cross Site Scripting (XSS) issue was found. This means an attacker could inject malicious scripts into a website, potentially affecting users who visit the site. **Recommendations** For versions prior to 2.9.1, update to version 2.9.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mida eFramework versions prior to 2.9.1 **Description** The issue allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges due to an OS Command Injection. No authentication is required. **Recommendations** For versions prior to 2.9.1, update to version 2.9.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** eFramework versions prior to 2.9.1 **Description** The issue allows for a change of the administrative password and access to restricted functionalities, such as code execution, due to a back door. **Recommendations** For versions prior to 2.9.1, update to version 2.9.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mida eFramework version 2.9.0 **Description** The issue allows an attacker to achieve Remote Code Execution (RCE) with administrative (root) privileges through an OS Command Injection. Authentication is required to exploit this issue. **Recommendations** For Mida eFramework version 2.9.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eFramework versions prior to 2.9.1 **Description** The issue allows unauthenticated directory traversal using ../, which can potentially lead to unauthorized access to sensitive files and directories. **Recommendations** For versions prior to 2.9.1, update to version 2.9.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mida eFramework versions prior to 2.9.1 **Description** The issue is related to a SQL Injection that leads to Information Disclosure. No authentication is required to exploit this issue. The injection point is located in one of the authentication parameters, specifically in the `authentication parameters`. **Recommendations** For versions prior to 2.9.1, update to version 2.9.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the authentication parameters to minimize the risk of exploitation.