Daniel Barros

**Name of the Vulnerable Software and Affected Versions** Form Tools version 3.1.1 **Description** A Cross Site Scripting (XSS) issue allows attackers to run arbitrary code via the `First Name` field in the application. This enables attackers to execute malicious scripts on the client-side, potentially leading to unauthorized actions or data exposure. **Recommendations** For Form Tools version 3.1.1, update to a newer version that contains a fix for this issue. As a temporary workaround, consider validating and sanitizing user input in the `First Name` field to prevent malicious code execution. Restrict access to the application to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Form Tools version 3.1.1 **Description** The issue allows attackers to run arbitrary SQL commands via the `keyword` when searching for a client. This can be exploited by manipulating the search functionality. **Recommendations** For Form Tools version 3.1.1, as a temporary workaround, consider restricting access to the search functionality that utilizes the `keyword` parameter until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Form Tools version 3.1.1 **Description** A Cross Site Request Forgery (CSRF) issue allows attackers to manipulate sensitive user data via a crafted link. This can lead to unauthorized access and modification of user information. **Recommendations** For Form Tools version 3.1.1, consider implementing proper CSRF token validation to prevent attackers from manipulating user data via crafted links. As a temporary workaround, restrict access to sensitive user data until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Form Tools version 3.1.1 **Description** A Server Side Template Injection (SSTI) issue allows attackers to run arbitrary commands via the `Group Name` field under the add forms section of the application. **Recommendations** For Form Tools version 3.1.1, avoid using the `Group Name` field in the add forms section until a patch is available. As a temporary workaround, consider restricting access to the add forms section to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SPIP versions prior to 4.1.14 SPIP versions 4.2.x prior to 4.2.8 **Description** The issue allows for XSS via the name of an uploaded file, related to javascript/bigup.js and javascript/bigup.utils.js. **Recommendations** For SPIP versions prior to 4.1.14, update to version 4.1.14 or later. For SPIP versions 4.2.x prior to 4.2.8, update to version 4.2.8 or later. As a temporary workaround, consider restricting the upload of files with potentially malicious names until a patch is available.