Cupc4K3

**Name of the Vulnerable Software and Affected Versions** Form Tools version 3.1.1 **Description** A Cross Site Scripting (XSS) issue allows attackers to run arbitrary code via the `First Name` field in the application. This enables attackers to execute malicious scripts on the client-side, potentially leading to unauthorized actions or data exposure. **Recommendations** For Form Tools version 3.1.1, update to a newer version that contains a fix for this issue. As a temporary workaround, consider validating and sanitizing user input in the `First Name` field to prevent malicious code execution. Restrict access to the application to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Form Tools version 3.1.1 **Description** A Server Side Template Injection (SSTI) issue allows attackers to run arbitrary commands via the `Group Name` field under the add forms section of the application. **Recommendations** For Form Tools version 3.1.1, avoid using the `Group Name` field in the add forms section until a patch is available. As a temporary workaround, consider restricting access to the add forms section to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Form Tools version 3.1.1 **Description** A Cross Site Request Forgery (CSRF) issue allows attackers to manipulate sensitive user data via a crafted link. This can lead to unauthorized access and modification of user information. **Recommendations** For Form Tools version 3.1.1, consider implementing proper CSRF token validation to prevent attackers from manipulating user data via crafted links. As a temporary workaround, restrict access to sensitive user data until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Form Tools version 3.1.1 **Description** The issue allows attackers to run arbitrary SQL commands via the `keyword` when searching for a client. This can be exploited by manipulating the search functionality. **Recommendations** For Form Tools version 3.1.1, as a temporary workaround, consider restricting access to the search functionality that utilizes the `keyword` parameter until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** osCommerce version 4 **Description** An issue allows local attackers to bypass file upload restrictions and execute arbitrary code via the administrator profile photo upload feature. **Recommendations** For osCommerce version 4, as a temporary workaround, consider disabling the administrator profile photo upload feature until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0.0 through 9.2.4 **Description** The issue is related to stored XSS via the `Role Name` field due to insufficient validation of administrator-provided data. A rogue administrator could inject malicious code into the `Role Name` field, which might be executed when users visit the affected page. **Recommendations** For Concrete CMS versions 9.0.0 through 9.2.4, update to version 9.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the `Role Name` field to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9 through 9.2.4 **Description** The issue is related to insufficient validation of administrator-provided data in the Image URL Import Feature, allowing a rogue administrator to inject malicious code when importing images. This leads to the execution of the malicious code on the website user's browser. A rogue administrator could exploit this to inject malicious code. **Recommendations** For Concrete CMS versions 9 through 9.2.4, update to version 9.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the Image URL Import Feature to minimize the risk of exploitation. Avoid using the Image URL Import Feature until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Group-Office versions prior to 6.8.29 **Description** The issue is related to the file upload mechanism in Group-Office, allowing an attacker to execute arbitrary JavaScript code by embedding it within a file's name. For example, using a filename such as "><img src=x onerror=prompt('XSS')>.jpg" can trigger this issue. When such a file is uploaded, the JavaScript code within the filename is executed. **Recommendations** For versions prior to 6.8.29, upgrade to version 6.8.29 or later to address the issue. As a temporary workaround, consider restricting file uploads or validating filenames to prevent the execution of embedded JavaScript code. Avoid using filenames that contain potentially executable code until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Pimcore Perspective Editor versions prior to 1.5.1 **Description** This issue has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. **Recommendations** For versions prior to 1.5.1, update to version 1.5.1 to resolve the issue. As a temporary workaround for versions prior to 1.5.1, apply the patch manually.