Dqh1

**Name of the Vulnerable Software and Affected Versions** Jenkins GitHub Plugin versions prior to 1.46.1 **Description** Improper processing of the current job URL within the JavaScript used to validate the "GitHub hook trigger for GITScm polling" feature allows non-anonymous attackers with Overall/Read permission to execute a stored cross-site scripting (XSS) attack. XSS is a flaw where malicious scripts are injected into trusted websites. **Recommendations** Update to a version later than 1.46.0.

**Name of the Vulnerable Software and Affected Versions** SuiteCRM versions 7.15.0 and 8.9.2 **Description** SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A critical Remote Code Execution (RCE) issue exists, allowing authenticated administrators to execute arbitrary system commands. The issue is a bypass of a previous patch attempt for CVE-2024-49774. The underlying flaw resides in the `ModuleScanner.php` file, specifically in its PHP token parsing logic. The scanner incorrectly resets its internal state (`$checkFunction` flag) when encountering single-character tokens (such as =, ., or ;). This allows attackers to conceal dangerous function calls, like `system()` or `exec()`, using variable assignments or string concatenation, effectively bypassing the MLP security controls. **Recommendations** Update to SuiteCRM version 7.15.1 or 8.9.3.

**Name of the Vulnerable Software and Affected Versions** OpenProject versions prior to 17.2.0 **Description** OpenProject is a web-based project management software. Before version 17.2.0, an authenticated project member with BCF import permissions could upload a manipulated .bcf archive. The `<Snapshot>` value within the markup.bcf file could be altered to contain an absolute or traversal local path, such as '/etc/passwd' or '../../../../etc/passwd'. During import, this untrusted `<Snapshot>` value is used as `file.path` during attachment processing. This allows for arbitrary file reading (AFR) within the read permissions of the OpenProject application user, as local filesystem content can be read outside the intended ZIP scope. **Recommendations** Update to version 17.2.0 or later.