David Silva

Name of the Vulnerable Software and Affected Versions: OTRS versions 7.0.X OTRS versions 8.0.X OTRS versions 2023.X OTRS versions 2024.X OTRS versions 2025.X Description: A flaw in the External Interface of OTRS allows attackers to determine the existence of user accounts by analyzing different HTTP response codes and messages. This enables systematic identification of valid email addresses. Recommendations: OTRS versions 7.0.X: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OTRS versions 8.0.X: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OTRS versions 2023.X: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OTRS versions 2024.X: At the moment, there is no information about a newer version that contains a fix for this vulnerability. OTRS versions 2025.X: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** juzaweb CMS versions up to 3.4.2 **Description** A critical issue has been found in the Plugin Editor Page component, specifically affecting some unknown functionality of the file /admin-cp/plugin/editor. This issue leads to improper access controls, allowing for remote attacks. The exploit has been publicly disclosed. **Recommendations** For juzaweb CMS versions up to 3.4.2, consider restricting access to the /admin-cp/plugin/editor file until a patch is available. As a temporary workaround, review and tighten access controls to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Passbolt API versions prior to 5 **Description** The issue arises when the server is misconfigured, specifically with an incorrect installation process and disregard of Health Check results. In such cases, the Passbolt API can send email messages with a domain name taken from an attacker-controlled HTTP Host header. **Recommendations** For versions prior to 5, ensure proper server configuration, following the correct installation process and adhering to Health Check results to prevent exploitation. As a temporary workaround, consider restricting access to the email functionality until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Microweber version 2.0.4 **Description** The issue allows a remote attacker to execute arbitrary code via a crafted script to the file upload function in the created forms component. This enables the attacker to potentially gain control over the system. **Recommendations** For Microweber version 2.0.4, consider disabling the file upload function in the created forms component until a patch is available. Restrict access to this component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BoltWire version 6.03 **Description** The issue in BoltWire allows a remote attacker to obtain sensitive information via a crafted payload to the view and change admin password function. This is related to insufficient protection of service data, which can be exploited by a remote attacker to gain access to confidential data. **Recommendations** For BoltWire version 6.03, update the BoltWire CMS to a newer version to resolve the issue. As a temporary workaround, consider restricting access to the admin password change function until the update is applied.

**Name of the Vulnerable Software and Affected Versions** BoltWire versions 7.10 through 8.00 **Description** A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the `name` and `lastname` parameters. **Recommendations** For BoltWire version 7.10, update to a version later than 8.00 to resolve the issue. For BoltWire version 8.00, update to a version later than 8.00 to resolve the issue. As a temporary workaround, consider restricting the use of the `name` and `lastname` parameters until a patch is available.