Appcheck Ltd

**Name of the Vulnerable Software and Affected Versions** admin-ajax.php (affected versions not specified) **Description** The issue concerns a reflected Cross Site Scripting vulnerability in the "image url" parameter of the AJAX call to the "editimage bwg" action of admin-ajax.php. This allows an attacker to insert and execute arbitrary JavaScript, but the attacker must target an authenticated user with permissions to access this component to exploit the issue. The "image url" parameter's value is embedded within an existing JavaScript in the response. **Recommendations** As a temporary workaround, consider restricting access to the "editimage bwg" action of admin-ajax.php to minimize the risk of exploitation. Avoid using the `image url` parameter in the affected AJAX endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** admin-ajax.php (affected versions not specified) **Description** The issue concerns a reflected Cross Site Scripting vulnerability in the "current url" parameter of the AJAX call to the "GalleryBox" action of admin-ajax.php. This allows an attacker to insert and execute arbitrary JavaScript, as the value of the "current url" parameter is embedded within an existing JavaScript in the response. No authentication is required to exploit this issue. Other parameters, such as `image id`, must be valid for successful exploitation. **Recommendations** As a temporary workaround, consider restricting access to the "GalleryBox" action of admin-ajax.php until a patch is available. Avoid using the `current url` parameter in the affected AJAX call to the "GalleryBox" action until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** The image upload component is affected by an issue where it allows SVG files, and the regular expression used to remove script tags can be bypassed. This can be done by using a Cross Site Scripting payload that does not match the regular expression, such as including whitespace within the script tag. An attacker must target an authenticated user with permissions to access this feature. However, once the payload is uploaded, it becomes accessible to unauthenticated users as well. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** admin-ajax.php (affected versions not specified) **Description** The issue concerns a reflected Cross Site Scripting vulnerability in the `image id` parameter of the AJAX call to the `editimage bwg` action of `admin-ajax.php`. This allows an attacker to insert and execute arbitrary JavaScript, but the attacker must target an authenticated user with permissions to access this component to exploit the issue. **Recommendations** As a temporary workaround, consider restricting access to the `editimage bwg` action of `admin-ajax.php` to minimize the risk of exploitation. Avoid using the `image id` parameter in the affected AJAX endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** admin-ajax.php (affected versions not specified) **Description** The issue concerns a reflected Cross Site Scripting vulnerability in the `thumb url` parameter of the AJAX call to the `editimage bwg` action of `admin-ajax.php`. This allows an attacker to insert and execute arbitrary JavaScript, as the value of the `thumb url` parameter is embedded within an existing JavaScript in the response. To exploit this issue, the attacker must target an authenticated user with permissions to access this component. **Recommendations** As a temporary workaround, consider restricting access to the `editimage bwg` action of `admin-ajax.php` to minimize the risk of exploitation. Avoid using the `thumb url` parameter in the affected AJAX endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Umbraco (affected versions not specified) **Description** The issue concerns the password reset component in Umbraco, which uses the hostname from the request host header to build a password reset URL. This could allow an attacker to manipulate the URL, potentially directing users to the attacker's server and disclosing the password reset token if the link is followed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Umbraco versions prior to 9.2.0 **Description** The issue concerns the "UmbracoApplicationUrl" configuration element in the Umbraco CMS. This element is used to build URLs pointing back to the site, such as password reset URLs or URLs for administrator invitations. If the Application URL is not specifically configured in Umbraco versions less than 9.2.0, an attacker can manipulate this value, store it persistently, and affect all users for components where "UmbracoApplicationUrl" is used. For example, an attacker can change the password reset URL to point to their server, allowing them to intercept the reset token and take over the account. **Recommendations** For Umbraco versions prior to 9.2.0, update to version 9.2.0 or later to resolve the issue. As a temporary workaround, consider configuring the "UmbracoApplicationUrl" explicitly to prevent manipulation by attackers. Restrict access to components that use the "UmbracoApplicationUrl" to minimize the risk of exploitation.