Chris Cooper

**Name of the Vulnerable Software and Affected Versions** Group-Office community versions prior to 4.0.90 **Description** The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved via the `sort` parameter in the modules/calendar/json.php file. **Recommendations** For versions prior to 4.0.90, update to version 4.0.90 or later to resolve the issue. As a temporary workaround, consider restricting access to the modules/calendar/json.php file or avoiding the use of the `sort` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Total Shop UK eCommerce Open Source versions prior to 2.1.2 p1 **Description** A cross-site scripting (XSS) issue exists due to insufficient input validation in the refresh page function. This allows remote attackers to inject arbitrary web script or HTML via the PATH INFO. **Recommendations** For versions prior to 2.1.2 p1, update to version 2.1.2 p1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** TCExam versions prior to 11.3.008 **Description** The issue allows remote authenticated users with level 5 or greater permissions to execute arbitrary SQL commands. This can be achieved via the `subject module id` parameter to (1) "tce edit answer.php" or (2) "tce edit question.php" API endpoints. **Recommendations** For versions prior to 11.3.008, update to version 11.3.008 or later to resolve the issue. As a temporary workaround, consider restricting access to the `tce edit answer.php` and `tce edit question.php` endpoints for users with level 5 or greater permissions until the update is applied. Avoid using the `subject module id` parameter in the affected API endpoints until the issue is resolved.