Benjamin Lim

**Name of the Vulnerable Software and Affected Versions** CyberArk Secure Web Sessions Extension versions prior to 2.2.30305 **Description** A flaw exists in CyberArk Secure Web Sessions Extension on Chrome and Edge that could lead to a denial of service when initiating new Secure Web Sessions (SWS) sessions. The issue is due to improper input validation. **Recommendations** Update CyberArk Secure Web Sessions Extension to version 2.2.30305 or later.

**Name of the Vulnerable Software and Affected Versions** Oturia Smart Google Code Inserter plugin versions prior to 3.5 **Description** The issue allows unauthenticated attackers to insert arbitrary JavaScript or HTML code that runs on all pages served by WordPress. This is achieved via the `sgcgoogleanalytic` parameter. The `saveGoogleCode()` function in smartgooglecode.php does not check if the current request is made by an authorized user, thus allowing any unauthenticated user to successfully update the inserted code. **Recommendations** For Oturia Smart Google Code Inserter plugin versions prior to 3.5, update to version 3.5 or later to resolve the issue. As a temporary workaround, consider disabling the `saveGoogleCode()` function in smartgooglecode.php until a patch is available. Restrict access to the `sgcgoogleanalytic` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Oturia Smart Google Code Inserter plugin versions prior to 3.5 **Description** The issue allows unauthenticated attackers to execute SQL queries in the context of the web server due to a lack of prepared statements and sanitization of the `oId` variable in the `saveGoogleAdWords()` function. **Recommendations** For Oturia Smart Google Code Inserter plugin versions prior to 3.5, update to version 3.5 or later to resolve the issue. As a temporary workaround, consider disabling the `saveGoogleAdWords()` function until a patch is available. Restrict access to the `smartgooglecode.php` file to minimize the risk of exploitation. Avoid using the `oId` variable in the affected SQL query until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Participants Database plugin versions prior to 1.7.5.10 **Description** The issue is related to a cross-site scripting (XSS) problem. **Recommendations** For versions prior to 1.7.5.10, update to version 1.7.5.10 or later to resolve the issue.