Aquilao

Name of the Vulnerable Software and Affected Versions: GetSimpleCMS version 3.4.0a Description: The issue is related to a Cross Site Scripting vulnerability. It affects the admin/snippets.php file via two specific actions: (1) Add Snippet and (2) Save snippets. Recommendations: For GetSimpleCMS version 3.4.0a, consider disabling the `Add Snippet` and `Save snippets` functions in admin/snippets.php as a temporary workaround until a patch is available. Restrict access to the admin/snippets.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: GetSimpleCMS version 3.4.0a Description: A Cross Site Scripting (XSS) issue exists in the admin/edit.php file. Recommendations: For GetSimpleCMS version 3.4.0a, update to a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: imcat version 5.2 Description: The issue is related to a SQL Injection vulnerability. It can be exploited via the `fm[auser]` parameters in the "coms/add coms.php" API endpoint. Recommendations: For imcat version 5.2, consider restricting access to the `coms/add coms.php` endpoint until a patch is available. As a temporary workaround, avoid using the `fm[auser]` parameters in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** baserCMS versions 4.0.0 through 4.4.0 **Description** The issue allows for Remote Code Execution (RCE) by uploading an executable script file, such as a PHP file, after logging in as a system administrator. The Edit template component is vulnerable. This can also lead to Cross-Site Scripting (XSS) via arbitrary script execution. The attack vector requires an administrator to be logged in. **Recommendations** For versions 4.0.0 through 4.4.0, update to version 4.4.1 to resolve the issue. As a temporary workaround, consider restricting access to the Edit template component until the update is applied.

**Name of the Vulnerable Software and Affected Versions** baserCMS versions 4.0.0 through 4.4.0 **Description** The issue affects several components, including Edit feed settings, Edit widget area, Sub site new registration, and New category registration. It allows arbitrary JavaScript execution by entering specific characters in certain areas, such as the account that can access the file upload function, category list, subsite setting list, widget area edit, and feed list on the management screen. The attack vector requires an administrator to be logged in. The issue was introduced in version 4.0.0 and is fixed in version 4.4.1. **Recommendations** For versions 4.0.0 through 4.4.0, update to version 4.4.1 to resolve the issue. As a temporary workaround, consider restricting access to the affected components, such as Edit feed settings, Edit widget area, Sub site new registration, and New category registration, until the update is applied.

**Name of the Vulnerable Software and Affected Versions** baserCMS versions 4.0.0 through 4.3.6 **Description** The issue is related to Cross Site Scripting (XSS) via arbitrary script execution, requiring admin access to exploit. The affected components include content fields.php, content info.php, content options.php, content related.php, index list tree.php, and jquery.bcTree.js. **Recommendations** For versions 4.0.0 through 4.3.6, update to version 4.3.7 to resolve the issue. As a temporary workaround, consider restricting access to the affected components until the update is applied.

**Name of the Vulnerable Software and Affected Versions** baserCMS versions 4.3.6 and earlier **Description** The issue allows for Cross Site Scripting (XSS) via arbitrary script execution, requiring admin access to exploit. The affected component is the toolbar.php file. **Recommendations** For versions 4.3.6 and earlier, update to version 4.3.7 to resolve the issue. As a temporary workaround, consider restricting access to the toolbar.php file to minimize the risk of exploitation.