Davide Bernacchia

**Name of the Vulnerable Software and Affected Versions** SEO Panel version 4.10.0 **Description** A Cross-Site Request Forgery (CSRF) issue allows remote attackers to perform unauthorized user password resets. **Recommendations** For SEO Panel version 4.10.0, update to a version that fixes this issue to prevent unauthorized password resets. As a temporary workaround, consider restricting access to password reset functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SEO Panel version 4.10.0 **Description** An email address enumeration issue exists in the password reset function. This allows an attacker to guess which emails exist on the system. **Recommendations** For SEO Panel version 4.10.0, consider disabling the password reset function until a patch is available. Restrict access to the password reset functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** SEO Panel version 4.10.0 **Description** A user enumeration issue was found, occurring during user authentication. This issue allows an attacker to determine if a username is valid or not through differences in error messages, enabling a brute-force attack with valid usernames. **Recommendations** For SEO Panel version 4.10.0, consider temporarily restricting access to the user authentication module until a patch is available. As a mitigation measure, avoid using distinct error messages for valid and invalid usernames to prevent user enumeration. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SEO Panel version 4.10.0 **Description** A Blind SSRF vulnerability exists in the "Crawl Meta Data" functionality. This makes it possible for remote attackers to scan ports in the local environment. **Recommendations** For SEO Panel version 4.10.0, consider disabling the "Crawl Meta Data" functionality until a patch is available. Restrict access to this feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenCATS version 0.9.7 **Description** A stored cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `city` parameter at "opencats/index.php?m=candidates". This enables attackers to potentially manipulate the web application's behavior. **Recommendations** For OpenCATS version 0.9.7, as a temporary workaround, consider restricting access to the "opencats/index.php?m=candidates" endpoint to minimize the risk of exploitation. Avoid using the `city` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** OpenCATS version 0.9.7 **Description** A stored cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `state` parameter at "opencats/index.php?m=candidates". This enables attackers to potentially manipulate the web application's behavior. **Recommendations** For OpenCATS version 0.9.7, consider disabling access to the "opencats/index.php?m=candidates" endpoint until a patch is available, or restrict the use of the `state` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** OpenCATS version 0.9.7 **Description** A Cross-Site Request Forgery (CSRF) issue allows attackers to force users into submitting web requests via unspecified vectors. **Recommendations** For OpenCATS version 0.9.7, consider implementing anti-CSRF measures, such as token-based validation, to prevent unauthorized requests. As a temporary workaround, restrict access to sensitive operations that could be exploited through CSRF attacks until a patch is available.