Deepankar Arora

**Name of the Vulnerable Software and Affected Versions** phpThumb versions prior to 1.7.12 **Description** The issue concerns the default configuration of phpThumb, where the disable debug option is set to false, allowing remote attackers to conduct Server-Side Request Forgery (SSRF) attacks. This is achieved by exploiting the `src` parameter. **Recommendations** For versions prior to 1.7.12, update to version 1.7.12 or later to resolve the issue. As a temporary workaround, consider setting the disable debug option to true to prevent SSRF attacks via the `src` parameter.

**Name of the Vulnerable Software and Affected Versions** Open Flash Chart versions prior to the version used in Pretty Link Lite 1.6.3 Pretty Link Lite plugin versions prior to 1.6.3 JNews (com jnews) component version 8.0.1 CiviCRM versions 3.1.0 through 4.2.9 and 4.3.0 through 4.3.3 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `get-data` parameter. This affects various software products, including the Pretty Link Lite plugin for WordPress, JNews component for Joomla!, and CiviCRM. **Recommendations** For Pretty Link Lite plugin versions prior to 1.6.3, update to version 1.6.3 or later. For JNews (com jnews) component version 8.0.1, consider disabling the component until a patch is available. For CiviCRM versions 3.1.0 through 4.2.9 and 4.3.0 through 4.3.3, update to a version outside of these ranges. As a temporary workaround, consider restricting access to the `get-data` parameter in the affected API endpoint until a patch is available.