Emilio Pinna

**Name of the Vulnerable Software and Affected Versions** VMTurbo Operations Manager versions prior to 4.6 build 28657 **Description** The issue allows remote attackers to execute arbitrary commands via shell metacharacters in the `fileDate` parameter in a "DOWN" call to the 'vmtadmin.cgi' endpoint. **Recommendations** For versions prior to 4.6 build 28657, update to version 4.6 build 28657 or later to resolve the issue. As a temporary workaround, consider restricting access to the 'vmtadmin.cgi' endpoint to minimize the risk of exploitation. Avoid using the `fileDate` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Moodle versions 2.5.x through 2.5.1 **Description** The issue allows remote attackers to conduct PHP object injection attacks. This is due to improper handling of an object obtained by unserializing a description of an external badge in the badges/external.php file. The attack can be conducted via unspecified vectors, such as overwriting the value of the `userid` parameter. **Recommendations** For Moodle versions 2.5.x through 2.5.1, update to version 2.5.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the badges/external.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** FCKeditor versions 2.6.7 and earlier **Description** A cross-site scripting (XSS) issue exists in the print textinputs var function, allowing remote attackers to inject arbitrary web script or HTML via `textinputs` array parameters. Multiple vulnerabilities in the FCKeditor package may lead to a breach of protected information integrity, and exploitation can be done remotely. **Recommendations** For FCKeditor versions 2.6.7 and earlier, consider disabling the `print textinputs var` function in the spellchecker.php file as a temporary workaround until a patch is available. Restrict access to the spellchecker.php file to minimize the risk of exploitation. Avoid using the `textinputs` array parameters in the affected API endpoint until the issue is resolved.