Apple502J

**Name of the Vulnerable Software and Affected Versions** Command Block IDE versions up to and including 0.4.9 **Description** The issue is related to a missing authorization that allows any user to modify `function` files used by the game when the mod is installed on a dedicated server. This is due to an authorization flaw. **Recommendations** For Command Block IDE versions up to and including 0.4.9, consider restricting access to the `function` files to prevent unauthorized modifications until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Plasmoapp RPShare Fabric mod version 1.0.0 **Description** The issue allows a remote attacker to execute arbitrary code via the `build` method in `DonwloadPromptScreen`. **Recommendations** For Plasmoapp RPShare Fabric mod version 1.0.0, consider disabling the `build` method in `DonwloadPromptScreen` as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Plasmoapp RPShare Fabric mod version 1.0.0 **Description** The issue allows a remote attacker to execute arbitrary code. This is achieved via the `getFileNameFromConnection` method in `DownloadTask`. **Recommendations** For Plasmoapp RPShare Fabric mod version 1.0.0, consider disabling the `getFileNameFromConnection` method in `DownloadTask` as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** JustEnoughItems (JEI) versions 19.5.0.33 and before **Description** The issue is related to an Improper Validation of Specified Index, Position, or Offset in Input, specifically a failure to validate slot index in JEI for Minecraft. This allows in-game item duplication. **Recommendations** For JustEnoughItems (JEI) versions 19.5.0.33 and before, consider disabling the slot index validation feature until a patch is available. Restrict access to the JEI module to minimize the risk of exploitation. Avoid using the `slot index` variable in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** EMI versions 1.1.10 and before **Description** The issue is related to an Improper Validation of Specified Index, Position, or Offset in Input vulnerability. Specifically, it is a failure to validate slot index and decrement stack count in the EMI mod for Minecraft, allowing in-game item duplication. **Recommendations** For EMI versions 1.1.10 and before, update to version 1.1.11 to resolve the issue. As a temporary workaround, consider restricting the use of the EMI mod until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Mommy Heather Advanced Backups versions up to 3.5.3 **Description** The issue allows attackers to write arbitrary files via restoring a crafted backup. **Recommendations** For versions up to 3.5.3, update to a version later than 3.5.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WordPress versions 4.1 through 4.1.40 WordPress versions 4.2 through 4.2.37 WordPress versions 4.3 through 4.3.33 WordPress versions 4.4 through 4.4.32 WordPress versions 4.5 through 4.5.31 WordPress versions 4.6 through 4.6.28 WordPress versions 4.7 through 4.7.28 WordPress versions 4.8 through 4.8.24 WordPress versions 4.9 through 4.9.25 WordPress versions 5.0 through 5.0.21 WordPress versions 5.1 through 5.1.18 WordPress versions 5.2 through 5.2.20 WordPress versions 5.3 through 5.3.17 WordPress versions 5.4 through 5.4.15 WordPress versions 5.5 through 5.5.14 WordPress versions 5.6 through 5.6.13 WordPress versions 5.7 through 5.7.11 WordPress versions 5.8 through 5.8.9 WordPress versions 5.9 through 5.9.9 WordPress versions 6.0 through 6.0.8 WordPress versions 6.1 through 6.1.6 WordPress versions 6.2 through 6.2.5 WordPress versions 6.3 through 6.3.4 WordPress versions 6.4 through 6.4.4 WordPress versions 6.5 through 6.5.4 **Description** The issue is related to an Improper Limitation of a Pathname to a Restricted Directory, also known as a Path Traversal vulnerability. This allows Relative Path Traversal in Automattic WordPress. **Recommendations** For WordPress versions 4.1 through 4.1.40, update to a version outside of this range. For WordPress versions 4.2 through 4.2.37, update to a version outside of this range. For WordPress versions 4.3 through 4.3.33, update to a version outside of this range. For WordPress versions 4.4 through 4.4.32, update to a version outside of this range. For WordPress versions 4.5 through 4.5.31, update to a version outside of this range. For WordPress versions 4.6 through 4.6.28, update to a version outside of this range. For WordPress versions 4.7 through 4.7.28, update to a version outside of this range. For WordPress versions 4.8 through 4.8.24, update to a version outside of this range. For WordPress versions 4.9 through 4.9.25, update to a version outside of this range. For WordPress versions 5.0 through 5.0.21, update to a version outside of this range. For WordPress versions 5.1 through 5.1.18, update to a version outside of this range. For WordPress versions 5.2 through 5.2.20, update to a version outside of this range. For WordPress versions 5.3 through 5.3.17, update to a version outside of this range. For WordPress versions 5.4 through 5.4.15, update to a version outside of this range. For WordPress versions 5.5 through 5.5.14, update to a version outside of this range. For WordPress versions 5.6 through 5.6.13, update to a version outside of this range. For WordPress versions 5.7 through 5.7.11, update to a version outside of this range. For WordPress versions 5.8 through 5.8.9, update to a version outside of this range. For WordPress versions 5.9 through 5.9.9, update to a version outside of this range. For WordPress versions 6.0 through 6.0.8, update to a version outside of this range. For WordPress versions 6.1 through 6.1.6, update to a version outside of this range. For WordPress versions 6.2 through 6.2.5, update to a version outside of this range. For WordPress versions 6.3 through 6.3.4, update to a version outside of this range. For WordPress versions 6.4 through 6.4.4, update to a version outside of this range. For WordPress versions 6.5 through 6.5.4, update to a version outside of this range.

**Name of the Vulnerable Software and Affected Versions** iceice666 ResourcePack Server versions prior to 1.0.8 **Description** A Directory Traversal issue allows a remote attacker to disclose files on the server. The issue is related to the `setPath` in `ResourcePackFileServer.kt`. **Recommendations** For versions prior to 1.0.8, update to version 1.0.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `setPath` function in `ResourcePackFileServer.kt` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** zly2006 Reden versions prior to 0.2.514 **Description** A Directory Traversal issue allows a remote attacker to execute arbitrary code via the `DEBUG RTC REQUEST SYNC DATA` in `KeyCallbacks.kt`. This enables the attacker to potentially access and manipulate sensitive data. **Recommendations** For versions prior to 0.2.514, update to version 0.2.514 or later to resolve the issue. As a temporary workaround, consider restricting access to the `DEBUG RTC REQUEST SYNC DATA` in `KeyCallbacks.kt` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Devan-Kerman ARRP versions 0.8.1 and before **Description** The issue allows a remote attacker to execute arbitrary code via the `dumpDirect` in `RuntimeResourcePackImpl` component. This enables the attacker to potentially access and manipulate files on the system, leading to unauthorized actions. **Recommendations** For Devan-Kerman ARRP versions 0.8.1 and before, consider disabling the `dumpDirect` function in the `RuntimeResourcePackImpl` component as a temporary workaround until a patch is available. Restrict access to the `RuntimeResourcePackImpl` component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Kihron ServerRPExposer versions 1.0.2 and before **Description** A Directory Traversal issue allows a remote attacker to execute arbitrary code via the `loadServerPack` in `ServerResourcePackProviderMixin.java`. This enables the attacker to potentially access and manipulate files outside the intended directory structure. **Recommendations** For versions 1.0.2 and before, consider disabling the `loadServerPack` function in `ServerResourcePackProviderMixin.java` as a temporary workaround until a patch is available. Restrict access to the `ServerResourcePackProviderMixin.java` module to minimize the risk of exploitation. Avoid using the `loadServerPack` function in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** simple sort&search WordPress plugin versions 0.0.3 and earlier **Description** The issue arises from the simple sort&search WordPress plugin not validating the `indexurl` parameter of certain shortcodes, including `category sims`, `order sims`, `orderby sims`, `period sims`, and `tag sims`, to ensure they use allowed URL protocols. This oversight can lead to stored cross-site scripting, potentially exploitable by users with a role as low as Contributor. **Recommendations** For versions 0.0.3 and earlier, as a temporary workaround, consider disabling the shortcodes `category sims`, `order sims`, `orderby sims`, `period sims`, and `tag sims` until a patch is available. Restrict access to these shortcodes to minimize the risk of exploitation. Avoid using the `indexurl` parameter in the affected shortcodes until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sollace Unicopia versions 1.1.1 and before **Description** The issue allows attackers to execute arbitrary code due to the deserialization of untrusted data. **Recommendations** For versions 1.1.1 and before, update to a version that does not deserialize untrusted data to prevent arbitrary code execution. As a temporary workaround, consider restricting the input data to trusted sources until a patch is available.

**Name of the Vulnerable Software and Affected Versions** VK All in One Expansion Unit versions 9.88.1.0 and earlier **Description** A cross-site scripting issue in the Profile setting function allows a remote authenticated attacker to inject an arbitrary script. **Recommendations** For versions 9.88.1.0 and earlier, update to a version that fixes this issue to prevent arbitrary script injection. As a temporary workaround, consider restricting access to the Profile setting function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** VK Blocks versions 1.53.0.1 and earlier VK Blocks Pro versions 1.53.0.1 and earlier **Description** A cross-site scripting issue in the Tag edit function allows a remote authenticated attacker to inject an arbitrary script. This enables the attacker to execute malicious code on the affected system. **Recommendations** For VK Blocks versions 1.53.0.1 and earlier, update to a version later than 1.53.0.1 to resolve the issue. For VK Blocks Pro versions 1.53.0.1 and earlier, update to a version later than 1.53.0.1 to resolve the issue. As a temporary workaround, consider restricting access to the Tag edit function in VK Blocks and VK Blocks Pro until a patch is available.

**Name of the Vulnerable Software and Affected Versions** VK Blocks versions 1.53.0.1 and earlier VK Blocks Pro versions 1.53.0.1 and earlier **Description** A cross-site scripting issue in the Post function allows a remote authenticated attacker to inject an arbitrary script. **Recommendations** For VK Blocks versions 1.53.0.1 and earlier, update to a version later than 1.53.0.1. For VK Blocks Pro versions 1.53.0.1 and earlier, update to a version later than 1.53.0.1.

**Name of the Vulnerable Software and Affected Versions** VK All in One Expansion Unit versions 9.88.1.0 and earlier **Description** A cross-site scripting issue in the CTA post function allows a remote authenticated attacker to inject an arbitrary script. **Recommendations** For versions 9.88.1.0 and earlier, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Passster WordPress plugin versions prior to 3.5.5.8 **Description** The issue allows users with a role as low as Contributor to perform Cross-Site Scripting attacks due to the `area` parameter of its shortcode not being properly escaped. **Recommendations** For versions prior to 3.5.5.8, update to version 3.5.5.8 or later to resolve the issue. As a temporary workaround, consider restricting the use of the shortcode or limiting user roles to prevent potential exploitation.

**Name of the Vulnerable Software and Affected Versions** The Download Plugin WordPress plugin versions prior to 2.0.0 **Description** The issue arises from improper validation of user privileges to access a backup's nonce identifier. This may allow any users with an account on the site, such as subscribers, to download a full copy of the website. **Recommendations** For versions prior to 2.0.0, update to version 2.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to backup functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ScratchLogin extension versions 1.1 and earlier for MediaWiki **Description** The issue allows users with administrator privileges to perform cross-site scripting (XSS) due to the failure to escape verification failure messages. **Recommendations** For ScratchLogin extension versions 1.1 and earlier, consider disabling the extension until a patch is available to prevent cross-site scripting (XSS) attacks.