Daniel

**Name of the Vulnerable Software and Affected Versions** Drupal CivicTheme Design System versions prior to 1.12.0 **Description** A flaw exists in the CivicTheme Design System that allows for Cross-Site Scripting (XSS). This occurs due to improper neutralization of input during web page generation. The issue impacts the way user-supplied data is handled, potentially allowing attackers to inject malicious scripts into web pages viewed by other users. **Recommendations** Update to CivicTheme Design System version 1.12.0 or later.

**Name of the Vulnerable Software and Affected Versions** Drupal CivicTheme Design System versions prior to 1.12.0 **Description** An incorrect authorization issue exists in the CivicTheme Design System that allows for forceful browsing. This occurs due to insufficient access controls, potentially allowing unauthorized access to resources. **Recommendations** Update to version 1.12.0 or later.

**Name of the Vulnerable Software and Affected Versions** Mediawiki - Lockdown Extension versions prior to 1.42 **Description** The Mediawiki Lockdown Extension contains a flaw related to incorrect permission assignment for critical resources, which allows for privilege abuse. The issue resides in the compare API module and enables attackers to bypass permissions, potentially leading to complete privilege escalation without authentication. The problem is fixed in the Mediawiki Core Action API. **Recommendations** Upgrade to version 1.42 or later to resolve this vulnerability.

**Name of the Vulnerable Software and Affected Versions** cashIT! - serving solutions versions from "PoS/ Dienstleistung, Entwicklung & Vertrieb GmbH" to 03.A06rks 2023.02.37 **Description** The issue is an unauthenticated remote code execution vulnerability that can be triggered by an HTTP endpoint exposed to the network. **Recommendations** For versions from "PoS/ Dienstleistung, Entwicklung & Vertrieb GmbH" to 03.A06rks 2023.02.37, as a temporary workaround, consider restricting access to the exposed HTTP endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** cashIT! - serving solutions versions 03.A06rks 2023.02.37 and earlier **Description** The issue is related to an origin bypass via the host header in an HTTP request. This can be triggered by an HTTP endpoint exposed to the network. **Recommendations** For versions 03.A06rks 2023.02.37 and earlier, consider restricting access to HTTP endpoints exposed to the network as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** cashIT! - serving solutions versions to 03.A06rks 2023.02.37 **Description** The issue affects devices from "PoS/ Dienstleistung, Entwicklung & Vertrieb GmbH" and allows for the leakage of the database, including system settings and user accounts. This can be triggered by an HTTP endpoint exposed to the network. **Recommendations** For versions to 03.A06rks 2023.02.37, as a temporary workaround, consider restricting access to the exposed HTTP endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AVideo versions prior to 12.4 **Description** The issue allows attackers to gain sensitive information via the `success` parameter to the "/user" API endpoint. This is a Cross Site Scripting (XSS) vulnerability, which means attackers can inject malicious scripts into websites, potentially leading to unauthorized access to sensitive data. **Recommendations** For versions prior to 12.4, update to version 12.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/user` API endpoint to minimize the risk of exploitation. Avoid using the `success` parameter in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Tiny Tiny RSS (aka tt-rss) versions prior to 2021-03-12 Description: The auth internal plugin in Tiny Tiny RSS allows an attacker to log in via the OTP code without a valid password. This issue only affected the git master branch for a short time. However, all end users are explicitly directed to use the git master branch in production. Recommendations: For versions prior to 2021-03-12, update to a version after 2021-03-12 to resolve the issue. As a temporary workaround, consider disabling the auth internal plugin until a patch is available. Restrict access to the OTP code login functionality to minimize the risk of exploitation.