Chor4O

**Name of the Vulnerable Software and Affected Versions** vBulletin versions 6.x **Description** A flaw in the Login component allows a remote attacker to perform a manipulation that results in cross-site scripting (XSS), which is a technique where malicious scripts are injected into trusted websites. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LigeroSmart versions through 6.1.26 **Description** A security issue exists in LigeroSmart. Manipulation of the `TicketID` argument within an unknown function of the `/otrs/index.pl` file can lead to cross site scripting. This attack can be launched remotely. The exploit has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LigeroSmart versions through 6.1.26 **Description** A cross-site scripting issue exists in LigeroSmart. The manipulation of the `TicketID` argument in the `/otrs/index.pl?Action=AgentTicketZoom` endpoint can trigger this issue. The exploit is publicly available and could be used for remote attacks. The project has been informed but has not yet responded. **Recommendations** Versions prior to 6.1.26 should be updated. As a temporary workaround, consider restricting access to the `/otrs/index.pl?Action=AgentTicketZoom` endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** LigeroSmart versions up to 6.1.24 **Description** A flaw exists in the Environment Variable Handler component of LigeroSmart. Manipulation of the `REQUEST URI` argument can lead to cross-site scripting. The issue may be exploited remotely. The exploit has been publicly disclosed. **Recommendations** Upgrade to version 6.1.26 or 6.3.

**Name of the Vulnerable Software and Affected Versions** Qualitor versions through 8.24.73 **Description** A security issue exists in Qualitor that allows for cross site scripting. The issue is related to manipulation of the `cdscript` argument within an unknown function of the file '/Qualitor/html/bc/bcdocumento9/biblioteca/request/viewDocumento.php'. This allows for remote attacks. The exploit has been publicly disclosed. **Recommendations** Upgrade the affected component to a newer version.

**Name of the Vulnerable Software and Affected Versions** Luna Imaging versions up to 7.5.5.6 **Description** A problematic issue has been found in Luna Imaging, affecting an unknown function of the file /luna/servlet/view/search. The manipulation of the `q` argument leads to cross-site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. **Recommendations** For versions up to 7.5.5.6, as a temporary workaround, consider restricting access to the /luna/servlet/view/search API endpoint to minimize the risk of exploitation. Avoid using the `q` argument in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Contact Form 7 versions prior to 5.9.5 **Description** The issue allows an attacker to utilize a false URL and redirect to the URL of their choosing, due to an open redirect in the plugin. **Recommendations** For versions prior to 5.9.5, update to version 5.9.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Flask-AppBuilder versions 4.1.4 through 4.2.0 **Description** A Cross-Site Scripting (XSS) vulnerability has been discovered on the OAuth login page. An attacker could trick a user into following a specially crafted URL to the OAuth login page, which could inject and execute malicious javascript code on the user's browser. **Recommendations** For Flask-AppBuilder versions 4.1.4 through 4.2.0, upgrade to version 4.2.1 or a newer version to resolve the issue. As a temporary workaround, consider restricting access to the OAuth login page until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** IceWarp versions 12.0.2.1 through 12.0.3.1 **Description** A problematic issue has been discovered, affecting the Utility Download Handler component in the /install/ file. The issue can be exploited by manipulating the `lang` argument with a specific input, leading to cross-site scripting. This can be initiated remotely. **Recommendations** For IceWarp versions 12.0.2.1 through 12.0.3.1, consider restricting access to the Utility Download Handler component until a fix is available. As a temporary workaround, avoid using the `lang` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTVS RM version 12.1 **Description** A problematic vulnerability has been found in the Portal component of TOTVS RM, specifically in the Login.aspx file. The issue arises from the manipulation of the `VIEWSTATE` argument, leading to cross-site scripting. This vulnerability can be exploited remotely. The vendor was contacted about this disclosure but did not respond. **Recommendations** For TOTVS RM version 12.1, as a temporary workaround, consider restricting access to the Login.aspx file or disabling the manipulation of the `VIEWSTATE` argument until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TOTVS RM version 12.1 **Description** A problematic vulnerability was found in the Portal component of TOTVS RM, where the manipulation of the argument `d` leads to cross-site scripting. The attack can be launched remotely. The vendor was contacted about this disclosure but did not respond. **Recommendations** For TOTVS RM version 12.1, as a temporary workaround, consider restricting access to the Portal component to minimize the risk of exploitation. Avoid using the argument `d` until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.