Elliot Rasch

**Name of the Vulnerable Software and Affected Versions** Archibus app version 4.0.3 for iOS **Description** An issue was discovered in the create work request feature of the maintenance module, via the `description` field. This allows an attacker to perform an action on behalf of the user, exfiltrate data, and so on. **Recommendations** For Archibus app version 4.0.3, consider disabling the create work request feature in the maintenance module until a patch is available. Restrict access to the description field to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Archibus app version 4.0.3 for iOS **Description** An issue was discovered in the Archibus app, which uses a local database synchronized with a Web central server instance. There is a SQL injection in the search work request feature in the Maintenance module of the app, allowing queries to be performed on the local database. **Recommendations** For Archibus app version 4.0.3, consider disabling the search work request feature in the Maintenance module as a temporary workaround until a patch is available. Restrict access to the local database to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Dradis versions prior to 4.8.0 **Description** The issue allows persistent XSS by authenticated author users, related to avatars. **Recommendations** For versions prior to 4.8.0, update to version 4.8.0 or later to resolve the issue. As a temporary workaround, consider restricting the ability of authenticated author users to upload or modify avatars until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Mega HOPEX versions 15.2.0.6110 through V5CP2 **Description** The application is prone to reflected Cross-site Scripting (XSS) in several features. **Recommendations** For Mega HOPEX versions 15.2.0.6110 through V5CP2, update to a version after V5CP2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mega HOPEX versions 15.2.0.6110 through V5CP4 **Description** A link-manipulation issue was discovered. **Recommendations** For Mega HOPEX versions 15.2.0.6110 through V5CP4, update to version V5CP4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Black Rainbow NIMBUS versions prior to 3.7.0 **Description** The issue allows for stored Cross-site Scripting (XSS), which is a type of attack where an attacker injects malicious code into a website, and this code is stored on the server. When other users access the website, the malicious code is executed, potentially leading to unauthorized actions. **Recommendations** For versions prior to 3.7.0, update to version 3.7.0 or later to resolve the issue.