Erik Steltzner

**Name of the Vulnerable Software and Affected Versions** PHP Event Calendar versions prior to 2021-09-03 **Description** The issue allows SQL injection, as demonstrated by the "/server/ajax/user manager.php" endpoint, specifically the `username` parameter. This can be used to execute SQL statements directly on the database, potentially allowing an adversary to compromise the database system or bypass the login form. **Recommendations** For versions prior to 2021-09-03, update to a version released after 2021-09-03 to resolve the issue. As a temporary workaround, consider restricting access to the "/server/ajax/user manager.php" endpoint or sanitizing the `username` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHP Event Calendar through 2021-11-04 **Description** The issue allows for persistent cross-site scripting (XSS) and can be exploited by an adversary in multiple ways, such as performing actions on the page in the context of other users or defacing the site. This is demonstrated by the `/server/ajax/events manager.php` API endpoint, specifically the `title` parameter. **Recommendations** For PHP Event Calendar through 2021-11-04, consider disabling the `/server/ajax/events manager.php` API endpoint or restricting access to the `title` parameter until a patch is available. As a temporary workaround, avoid using the `title` parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Infosysta In-App & Desktop Notifications app version 1.6.13 J8 for Jira **Description** An issue in the Infosysta In-App & Desktop Notifications app allows unauthorized access to a different user's notifications. This can be achieved by modifying the `username` variable in the "plugins/servlet/nfj/PushNotification" endpoint. As a result, the targeted user's notifications are no longer displayed to them. **Recommendations** For version 1.6.13 J8, consider restricting access to the "plugins/servlet/nfj/PushNotification" endpoint until a patch is available, and avoid using the `username` variable in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Infosysta In-App & Desktop Notifications app version 1.6.13 J8 for Jira **Description** An issue in the Infosysta In-App & Desktop Notifications app allows obtaining a list of all valid Jira usernames without authentication or authorization. This can be achieved via the "plugins/servlet/nfj/UserFilter?searchQuery=@" URI, specifically the `searchQuery` variable. **Recommendations** For version 1.6.13 J8, consider restricting access to the plugins/servlet/nfj/UserFilter API endpoint until a patch is available. Avoid using the `searchQuery` variable in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.