C3L3Si4N

**Name of the Vulnerable Software and Affected Versions** Order GLPI plugin versions 1.8.0 through 2.7.6 Order GLPI plugin versions 2.8.0 through 2.10.0 **Description** The issue allows an authenticated user with access to the standard interface to craft a URL that can execute a system command. **Recommendations** For Order GLPI plugin versions 1.8.0 through 2.7.6, update to version 2.7.7. For Order GLPI plugin versions 2.8.0 through 2.10.0, update to version 2.10.1. As a temporary workaround, consider deleting the `ajax/dropdownContact.php` file from the plugin.

**Name of the Vulnerable Software and Affected Versions** GLPI versions 9.4.0 through 10.0.5 **Description** The issue is related to Cross-site Scripting (XSS) due to improper neutralization of input data during web page generation. An attacker can exploit this by persuading a victim to open a URL containing a malicious payload, allowing the attacker to perform actions as the victim or exfiltrate session cookies. **Recommendations** For GLPI versions 9.4.0 through 10.0.5, update to version 10.0.6 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** FreshRSS versions prior to 1.20.2 **Description** FreshRSS is a free, self-hostable RSS aggregator. User configuration files can be accessed by a remote user. In addition to user preferences, such configurations contain hashed passwords of the FreshRSS Web interface. If the API is used, the configuration might contain a hashed password of the GReader API, and a hashed password of the Fever API. **Recommendations** For versions prior to 1.20.2, update to version 1.20.2 or edge. For users unable to upgrade, apply the patch manually or delete the file `./FreshRSS/p/ext.php`.