Dev03303

**Name of the Vulnerable Software and Affected Versions** yi-ge get-header-ip versions prior to 589b23d0eb0043c310a6a13ce4bbe2505d0d0b15 **Description** A cross-site scripting issue exists due to manipulation of the `callback` argument within the `ip` function of the `ip.php` file. This allows for remote attacks. The product uses a rolling release model, and specific version information for affected or updated releases is not available. **Recommendations** Update to a version prior to 589b23d0eb0043c310a6a13ce4bbe2505d0d0b15. As a temporary workaround, consider restricting the use of the `ip` function in the `ip.php` file until a suitable update is available. Avoid using the `callback` argument in the `ip` function.

**Name of the Vulnerable Software and Affected Versions** nuz007 smsboom versions prior to 01b2f35bbbc23f3e0f60f38ca0e3d1b286f8d674 **Description** A flaw exists in nuz007 smsboom. Manipulation of the `hm` argument in an unknown function within the `dy.php` file can lead to cross site scripting. Remote exploitation is possible. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** nuz007 smsboom versions prior to 01b2f35bbbc23f3e0f60f38ca0e3d1b286f8d674 **Description** A security issue exists in nuz007 smsboom. Manipulation of the `hm` argument in the file `d.php` can lead to cross site scripting. The attack can be launched remotely. The vulnerable component is an unknown function within `d.php`. This product operates on a rolling release basis, meaning there are no specific version details for affected or updated releases. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: lokibhardwaj PHP-Code-For-Unlimited-File-Upload versions up to 124fe96324915490c81eaf7db3234b0b4e4bab3c Description: A weakness exists in the file `/f.php` within the software. Manipulation of the argument `h` can lead to cross-site scripting. Remote exploitation is possible, and the exploit has been made publicly available. The vendor was contacted regarding this issue but did not respond. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** descreekert wx-discuz versions prior to 12bd4745c63ec203cb32119bf77ead4a923bf277 **Description** A vulnerability exists in the `validToken` function of the `/wx.php` file. Manipulation of the `echostr` argument can lead to cross-site scripting. The attack can be initiated remotely. This product uses a rolling release model, so specific version details for affected and updated releases are not available. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** cgpandey hotelmis versions prior to c572198e6c4780fccc63b1d3e8f3f72f825fc94e **Description** A problematic issue exists in the `admin.php` file's HTTP GET Request Handler component. Manipulation of the `Search` argument can lead to cross-site scripting. The attack can be initiated remotely. The product uses a rolling release model, and no specific version details for affected or updated releases are available. **Recommendations** Update to version c572198e6c4780fccc63b1d3e8f3f72f825fc94e or later.

Name of the Vulnerable Software and Affected Versions: calmkart Django-sso-server up to 057247929a94ffc358788a37ab99e391379a4d15 Description: A vulnerability was found in the function `gen rsa keys` of the file `common/crypto.py`, leading to inadequate encryption strength. The attack can be initiated remotely, but the complexity of an attack is rather high, and the exploitation appears to be difficult. Recommendations: As a temporary workaround, consider disabling the `gen rsa keys` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.