Damiano Esposito

**Name of the Vulnerable Software and Affected Versions** airleader MASTER version 3.00571 **Description** The issue is related to an Improper Authentication vulnerability that allows Authentication Bypass. This vulnerability affects the airleader MASTER device, potentially allowing unauthorized access. **Recommendations** For airleader MASTER version 3.00571, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Plone versions 4.0 through 5.2.1 **Description** The issue is related to an open redirect on the login form and possibly other areas, allowing an attacker to create a link that redirects to an attacker's site after login. **Recommendations** For versions 4.0 through 5.2.1, consider restricting access to the login form until a fix is available. As a temporary workaround, avoid using the login form with external links to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Plone versions 5.0 through 5.2.1 **Description** A cross-site scripting (XSS) issue exists in the title field, allowing users with a certain privilege level to insert JavaScript code. This code will be executed when other users access the site. **Recommendations** For Plone versions 5.0 through 5.2.1, update to a version that contains a fix for this issue to prevent the execution of malicious JavaScript code.

**Name of the Vulnerable Software and Affected Versions** Plone versions 4.0 through 5.2.1 **Description** The issue allows users to perform unwanted SQL queries due to SQL Injection in DTML or in connection objects. This problem is related to Zope. **Recommendations** For Plone versions 4.0 through 5.2.1, update to a version that contains a fix for this issue to prevent unwanted SQL queries.

**Name of the Vulnerable Software and Affected Versions** Plone versions 4.3 through 5.2.0 **Description** The issue is related to missing password strength checks on some forms, allowing users to set weak passwords. This makes it easier for attackers to crack the passwords. **Recommendations** For Plone versions 4.3 through 5.2.0, consider implementing custom password strength checks to enforce strong passwords until a patch is available. As a temporary workaround, restrict access to password change functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Plone versions 5.2.0 through 5.2.1 **Description** The issue allows users with a certain privilege level to escalate their privileges up to the highest level. **Recommendations** For Plone versions 5.2.0 through 5.2.1, update to a version that contains a fix for this issue to prevent privilege escalation.

**Name of the Vulnerable Software and Affected Versions** Plone versions 4.3 through 5.2.1 **Description** The issue is related to a privilege escalation problem in the plone.app.contenttypes package of the Plone content management system. This allows users to overwrite certain content using the PUT method without requiring write permission. The vulnerability can be exploited by a remote attacker to elevate their privileges. **Recommendations** For Plone versions 4.3 through 5.2.1, consider restricting access to the plone.app.contenttypes package until a fix is available. As a temporary workaround, limit the ability of users to PUT content without proper write permissions to minimize the risk of exploitation.