Bram

**Name of the Vulnerable Software and Affected Versions** TravianZ versions 8.3.3 through 8.3.4 **Description** The issue allows remote attackers to execute PHP code through PHP injection in the config editor on the admin page. **Recommendations** For versions 8.3.3 and 8.3.4, consider disabling the config editor in the admin page until a patch is available. Restrict access to the admin page to minimize the risk of exploitation. Avoid using the config editor feature in the affected versions until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** TravianZ versions 8.3.3 through 8.3.4 **Description** The issue arises from a cryptographically insecure random number generator used in the password reset function, allowing an attacker to guess the password reset parameters and take over accounts. **Recommendations** For versions 8.3.3 and 8.3.4, consider disabling the password reset function until a secure random number generator is implemented. As a temporary workaround, restrict access to the password reset feature to minimize the risk of account takeover. Avoid using the password reset function in the affected versions until the issue is resolved with a secure random number generator implementation.

**Name of the Vulnerable Software and Affected Versions** TravianZ versions 8.3.3 through 8.3.4 **Description** The issue is related to Incorrect Access Control in the installation script, allowing an attacker to overwrite the server configuration and inject PHP code. **Recommendations** For TravianZ versions 8.3.3 and 8.3.4, consider restricting access to the installation script until a patch is available. As a temporary workaround, avoid using the installation script in these versions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TravianZ versions 8.3.4 and earlier **Description** The issue allows for XSS attacks through various means, including the Alliance tag/name, the statistics page, the link preferences, the Admin Logs, or the COOKUSR cookie. **Recommendations** For versions 8.3.4 and earlier, as a temporary workaround, consider restricting access to the Alliance tag/name, the statistics page, the link preferences, the Admin Logs, and avoid using the COOKUSR cookie until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.