Brad Antoniewicz

**Name of the Vulnerable Software and Affected Versions** firmCHANNEL Digital Signage versions 3.24 and earlier **Description** A cross-site scripting issue exists in the account module, allowing remote attackers to inject arbitrary web script or HTML via the `action` parameter to "index.php". **Recommendations** For firmCHANNEL Digital Signage versions 3.24 and earlier, avoid using the `action` parameter in the "index.php" endpoint until a fix is available. As a temporary workaround, consider restricting access to the account module to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: MetaGauge versions prior to 1.0.3.38 Description: The issue allows remote attackers to read arbitrary files via a ".." (dot dot backslash) in the URL. This is a directory traversal vulnerability. Recommendations: For versions prior to 1.0.3.38, update to version 1.0.3.38 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cisco Building Broadband Service Manager (BBSM) Captive Portal version 5.3 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `msg` parameter in AccessCodeStart.asp. **Recommendations** For Cisco Building Broadband Service Manager (BBSM) Captive Portal version 5.3, avoid using the `msg` parameter in the affected AccessCodeStart.asp until the issue is resolved.