Dawid Golak

**Name of the Vulnerable Software and Affected Versions** ThreatQuotient ThreatQ versions prior to 5.29.3 **Description** The issue allows authenticated users to execute arbitrary commands by sending a crafted request to an API endpoint. **Recommendations** For versions prior to 5.29.3, update to version 5.29.3 or later to resolve the issue. As a temporary workaround, consider restricting access to API endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** JBMC Software DirectAdmin version 1.403 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This is achieved via the domain parameter in CMD DOMAIN. **Recommendations** For version 1.403, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the CMD DOMAIN function to minimize the risk of exploitation. Avoid using the domain parameter in the affected function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** JBMC Software DirectAdmin version 1.403 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the CMD DOMAIN component. These vulnerabilities allow remote authenticated users with specific privileges to inject arbitrary web script or HTML. The injection can occur via the `select0` or `select8` parameters. **Recommendations** For version 1.403, consider restricting access to the CMD DOMAIN component until a patch is available. As a temporary workaround, avoid using the `select0` and `select8` parameters in the affected API endpoint.