Balejin

**Name of the Vulnerable Software and Affected Versions** Ays Pro Survey Maker versions through 5.1.8.8 **Description** A flaw exists in Ays Pro Survey Maker that allows for Stored Cross-site Scripting (XSS). This issue occurs due to improper neutralization of input during web page generation. Successful exploitation could allow an attacker to inject malicious scripts into web pages viewed by other users. The vulnerable component is the survey-maker functionality. **Recommendations** Update Ays Pro Survey Maker to a version later than 5.1.8.8.

**Name of the Vulnerable Software and Affected Versions** Sismics Teedy versions up to 1.11 **Description** A flaw exists in Sismics Teedy that could lead to improper access controls. This issue affects the API Endpoint component and specifically involves the `/api/file` file and an unknown function. The vulnerability can be exploited remotely. The details of the exploit have been publicly disclosed. The vendor was informed of the issue but did not provide a response. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JhumanJ OpnForm versions up to 1.9.3 **Description** A flaw exists in JhumanJ OpnForm up to version 1.9.3 related to an unrestricted upload issue stemming from manipulation of an unknown functionality within the `/answer` file. This manipulation allows for remote exploitation. The exploit is publicly available. **Recommendations** Implement patch 95c3e23856465d202e6aec10bdb6ee0688b5305a to correct this issue.

**Name of the Vulnerable Software and Affected Versions** JhumanJ OpnForm versions up to 1.9.3 **Description** A flaw exists in JhumanJ OpnForm up to version 1.9.3, specifically within the Form Editor component. This issue involves manipulation of the `/api/open/forms/` file, leading to cross site scripting. The attack can be initiated remotely. The vendor has indicated the feature is disabled until a user configures their own domain, which will mitigate the attack vector. **Recommendations** Ensure a custom domain is configured to mitigate the attack vector.

**Name of the Vulnerable Software and Affected Versions** JhumanJ OpnForm versions up to 1.9.3 **Description** A missing authorization check exists in the API endpoint responsible for managing custom domains, located at `/custom-domains`. This allows for unauthorized manipulation of custom domain settings. The vulnerability affects unknown code within the `/custom-domains` file of the API Endpoint component. The exploit has been publicly disclosed. **Recommendations** Apply the patch beb153ce52dceb971c1518f98333328c95f1ba20.

**Name of the Vulnerable Software and Affected Versions** JhumanJ OpnForm versions up to 1.9.3 **Description** A flaw exists in the processing of the `/show/integrations` file within JhumanJ OpnForm. Manipulation of this file can lead to missing authorization checks, potentially allowing for remote exploitation. The patch identified as 11d97d78f2de2cb49f79baed6bde8b611ec1f384 addresses this issue. **Recommendations** Apply the patch 11d97d78f2de2cb49f79baed6bde8b611ec1f384 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** JhumanJ OpnForm versions up to 1.9.3 **Description** A security issue exists in JhumanJ OpnForm related to improper restriction of excessive authentication attempts. The issue is located within the HTTP Header Handler component and involves manipulation of the `X-Forwarded-For` argument. The attack can be carried out remotely and requires a high degree of complexity, though exploitability is described as difficult. The exploit is publicly available. **Recommendations** Install patch 11e99960e14ca986b1a001a56e7533223d2cfa5b to address this issue.

**Name of the Vulnerable Software and Affected Versions** JhumanJ OpnForm versions up to 1.9.3 **Description** A security flaw exists in JhumanJ OpnForm. The issue involves an unknown function within the component’s API Endpoint and can lead to cross-site request forgery. The attack can be initiated remotely. While the vendor indicates API calls require authentication via Authorization Bearer Tokens, mitigating classic CSRF attacks, an attacker could exploit the flaw if they obtain the JWT through other means, such as cross-site scripting (XSS). The exploit has been publicly released. **Recommendations** Versions prior to 1.9.3 should be used.

**Name of the Vulnerable Software and Affected Versions** JhumanJ OpnForm versions up to 1.9.3 **Description** A weakness exists in JhumanJ OpnForm, potentially leading to information exposure. The issue stems from a discrepancy within the Forgotten Password Handler component, specifically related to the file `/api/password/email`. The attack can be initiated remotely and is considered to have high complexity, with difficult exploitability. The exploit is publicly available and is related to Laravel issue #46465. The vulnerable function is unknown. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JhumanJ OpnForm versions through 1.9.3 **Description** A flaw exists in JhumanJ OpnForm that could allow for improper access controls. The issue is related to manipulation of an unknown function within the `/edit` endpoint. The exploit has been publicly disclosed. **Recommendations** Apply patch b15e29021d326be127193a5dbbd528c4e37e6324 to resolve this issue.

**Name of the Vulnerable Software and Affected Versions** JhumanJ OpnForm versions up to 1.9.3 **Description** A security issue exists in JhumanJ OpnForm that allows for cross site scripting. This impacts an unknown functionality within the `/show/submissions` file. The attack can be initiated remotely and has been publicly disclosed. **Recommendations** Deploy the patch with identifier a2af1184e53953afa8cb052f4055f288adcaa608.

**Name of the Vulnerable Software and Affected Versions** Koillection versions up to 1.6.18 **Description** A cross-site request forgery issue exists in Koillection. The issue is related to an unknown function within the `assets/controllers/csrf protection controller.js` file. This manipulation can be executed remotely. The exploit has been publicly disclosed. The vendor addressed this issue by switching to a newer, stateless CSRF handling mechanism. **Recommendations** Upgrade to version 1.7.0 to address this issue.