Drunkenshells

**Name of the Vulnerable Software and Affected Versions** Magnolia CMS versions 6.2.3 and below **Description** An issue in the Login page of Magnolia CMS allows attackers to exploit both an Open Redirect vulnerability and Cross-Site Request Forgery (CSRF) in order to brute force and exfiltrate users' credentials. **Recommendations** For Magnolia CMS versions 6.2.3 and below, update to a version above 6.2.3 to resolve the issue. As a temporary workaround, consider restricting access to the Login page to minimize the risk of exploitation. Avoid using the Login page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Magnolia versions prior to 6.2.3 **Description** A Server-Side Template Injection (SSTI) issue in the Registration and Forgotten Password forms allows attackers to execute arbitrary code via a crafted payload entered into the `fullname` parameter. **Recommendations** For versions prior to 6.2.3, update to a version that contains a fix for this issue to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CALDERA version 2.8.1 **Description** An issue was discovered in CALDERA. When activated, the Human plugin passes the unsanitized `name` parameter to a python `os.system` function. This allows attackers to use shell metacharacters (e.g., backticks or dollar parenthesis) in order to escape the current command and execute arbitrary shell commands. **Recommendations** For CALDERA version 2.8.1, consider disabling the Human plugin until a patch is available to prevent the execution of arbitrary shell commands. Restrict access to the `os.system` function to minimize the risk of exploitation. Avoid using the `name` parameter in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ozeki NG SMS Gateway versions 4.17.1 through 4.17.6 **Description** The issue concerns the "Import Contacts" functionality, which does not check the file type when bulk importing new contacts from a file. This allows an attacker to upload an executable or .bat file, which can then be executed using certain functionalities within the application, such as the "Application Starter" module. **Recommendations** For Ozeki NG SMS Gateway versions 4.17.1 through 4.17.6, consider disabling the "Import Contacts" functionality until a patch is available to prevent the upload of malicious files. Additionally, restrict access to the "Application Starter" module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ozeki NG SMS Gateway versions prior to 4.17.7 **Description** The issue allows for Server-Side Request Forgery (SSRF) attacks via SMS WCF or RSS To SMS. **Recommendations** For Ozeki NG SMS Gateway versions prior to 4.17.7, update to version 4.17.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Ozeki NG SMS Gateway versions prior to 4.17.7 **Description** The issue affects the Ozeki NG SMS Gateway, where multiple authenticated stored and/or reflected XSS vulnerabilities have been identified. These vulnerabilities can be exploited via several fields and parameters, including the `Receiver` or `Recipient` field in the Mailbox feature, the `OZFORM GROUPNAME` field in the Group configuration of addresses, the `listname` field in the Defining address lists configuration, or any `GET` parameter in the "/default" URL of the application. **Recommendations** For Ozeki NG SMS Gateway versions prior to 4.17.7, update to version 4.17.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the Mailbox feature, Group configuration of addresses, and Defining address lists configuration to minimize the risk of exploitation. Avoid using the `Receiver` or `Recipient` field, `OZFORM GROUPNAME` field, and `listname` field in the affected configurations until the issue is resolved. Additionally, restrict access to the "/default" URL of the application to prevent exploitation via `GET` parameters.

**Name of the Vulnerable Software and Affected Versions** Ozeki NG SMS Gateway versions prior to 4.17.7 **Description** An issue was discovered in the Autoreply module's `Script Name` where a path traversal vulnerability allows an attacker to write to or overwrite arbitrary files with arbitrary content, usually with NT AUTHORITYSYSTEM privileges. **Recommendations** For Ozeki NG SMS Gateway versions prior to 4.17.7, update to version 4.17.7 or later to resolve the issue. As a temporary workaround, consider disabling the Autoreply module until a patch is available. Restrict access to the Autoreply module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ozeki NG SMS Gateway versions through 4.17.6 **Description** An issue was discovered in the outbox functionality of the TXT File module, allowing it to delete most files in a folder. Since the product typically runs as NT AUTHORITYSYSTEM, the only files that will not be deleted are those currently being run by the system and/or files with special security attributes. **Recommendations** For Ozeki NG SMS Gateway versions through 4.17.6, consider restricting access to the outbox functionality of the TXT File module to prevent unauthorized file deletion until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Ozeki NG SMS Gateway versions through 4.17.6 **Description** An issue in the ASP.net SMS module allows it to read and validate the source code of ASP files. By altering the path, it can be made to read any file on the Operating System, usually with NT AUTHORITYSYSTEM privileges. **Recommendations** For Ozeki NG SMS Gateway versions through 4.17.6, consider restricting access to the ASP.net SMS module until a patch is available. As a temporary workaround, limit the module's ability to read files outside its intended directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Wowza Streaming Engine versions 4.8.0 and earlier Wowza Streaming Engine versions 4.7.7 and 4.7.8 **Description** The issue arises from multiple authenticated XSS vulnerabilities. These can be exploited via the `customList%5B0%5D.value` field in "enginemanager/server/serversetup/edit adv.htm" of the Server Setup configuration or the `host` field in "enginemanager/j spring security check" of the login form. **Recommendations** For Wowza Streaming Engine versions 4.8.0 and earlier, update to version 4.8.5 or later to resolve the issue. For Wowza Streaming Engine versions 4.7.7 and 4.7.8, update to version 4.8.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the `customList%5B0%5D.value` field in the Server Setup configuration and the `host` field in the login form to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Alfresco Community Edition versions 6.0 and lower **Description** An issue allows an unauthenticated, remote attacker to authenticate to Alfresco's Solr Web Admin Interface. This is due to a default private key present in all default installations. An attacker could exploit this by using the extracted private key and bundling it into a PKCS12, potentially gaining information about the target system, such as OS type, system file locations, Java version, and Solr version. This access could also be leveraged to launch further attacks. **Recommendations** For Alfresco Community Edition versions 6.0 and lower, consider removing or replacing the default private key to prevent unauthorized access to Alfresco's Solr Web Admin Interface. As a temporary workaround, restrict access to the Solr Web Admin Interface until a more permanent solution can be implemented.

**Name of the Vulnerable Software and Affected Versions** PrinterOn Central Print Services versions through 4.1.4 **Description** An issue was discovered in the core components of PrinterOn Central Print Services that create and launch a print job, where they do not perform complete verification of the session cookie supplied to them. This allows an attacker with guest or pseudo-guest level permissions to bypass session checks by directly calling the core print job components via crafted HTTP GET and POST requests, which would otherwise log out a low-privileged user. **Recommendations** For versions through 4.1.4, consider restricting access to the core print job components to prevent direct calls via crafted HTTP requests as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** PrinterOn Enterprise version 4.1.4 **Description** The issue allows an attacker to trick an administrator into making unwanted changes to a printer, such as disabling or approving it, by following a malicious link. This is due to multiple Cross Site Request Forgery (CSRF) vulnerabilities in the Administration page. **Recommendations** For PrinterOn Enterprise version 4.1.4, consider restricting access to the Administration page until a fix is available. As a temporary workaround, administrators should be cautious when following links and avoid making changes to printer settings from untrusted sources. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Kofax Front Office Server version 4.1.1.11.0.5212 **Description** The issue concerns multiple authenticated stored XSS vulnerabilities. These can be exploited via the "Filename" field in the "/Kofax/KFS/ThinClient/document/upload/" endpoint for the Thin Client, or the "DeviceName" field in the "/Kofax/KFS/Admin/DeviceService/device/" endpoint for the Administration Console. **Recommendations** For version 4.1.1.11.0.5212, consider disabling the upload functionality in the Thin Client and restricting access to the DeviceService in the Administration Console until a patch is available. Avoid using the "Filename" and "DeviceName" fields in the respective endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Kofax Front Office Server Administration Console version 4.1.1.11.0.5212 **Description** A vulnerability exists that allows remote authenticated users to read arbitrary files. This is achieved by crafting XML inside an imported package configuration (.ZIP file) within the "Kofax/KFS/Admin/PackageService/package/upload" file parameter. **Recommendations** For version 4.1.1.11.0.5212, as a temporary workaround, consider restricting access to the package upload functionality to minimize the risk of exploitation. Avoid using the `package/upload` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PrinterOn Enterprise version 4.1.4 **Description** The issue affects PrinterOn Enterprise, where multiple authenticated stored XSS vulnerabilities have been identified. These vulnerabilities can be exploited via various fields, including the `Machine Host Name` or `Server Serial Number` field in the clustering configuration, the `name` field in the Edit Group configuration, the `Rule Name` field in the Access Control configuration, the `Service Name` in the Service Configuration, or the `First Name` or `Last Name` field in the Edit Account configuration. **Recommendations** For PrinterOn Enterprise version 4.1.4, as a temporary workaround, consider restricting access to the clustering configuration, Edit Group configuration, Access Control configuration, Service Configuration, and Edit Account configuration to minimize the risk of exploitation. Avoid using the vulnerable fields until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.