Fabian Fingerle

**Name of the Vulnerable Software and Affected Versions** cpCommerce versions prior to 1.2.4 **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `search` parameter in a "search.quick" action to "search.php" and the `name` parameter in a "sendtofriend" action to "sendtofriend.php". **Recommendations** For versions prior to 1.2.4, update to version 1.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "search.php" and "sendtofriend.php" files until the update is applied. Avoid using the `search` and `name` parameters in the affected API endpoints until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: fuzzylime (cms) versions prior to 3.03 Description: The issue is related to a cross-site scripting (XSS) vulnerability. This allows remote attackers to inject arbitrary web script or HTML via the `user` parameter to the login form. Recommendations: For versions prior to 3.03, update to version 3.03 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin/usercheck.php file to minimize the risk of exploitation. Avoid using the `user` parameter in the login form until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** XRMS (affected versions not specified) **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via various parameters, including the real name field, `target` parameter to "login.php", `title` parameter to "activities/some.php", `company name` parameter to "companies/some.php", `last name` parameter to "contacts/some.php", `campaign title` parameter to "campaigns/some.php", `opportunity title` parameter to "opportunities/some.php", `case title` parameter to "cases/some.php", `file id` parameter to "files/some.php", or `starting` parameter to "reports/custom/mileage.php". **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** XRMS (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands, which can be used to modify the `name` and `email` fields. This is achieved through an SQL injection vulnerability in the `admin/users/self-2.php` file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: vtiger CRM version 5.0.4 Description: The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via specific parameters in different modules. The affected parameters include the `parenttab` parameter in the Products module, the `user password` parameter in the Users module, and the `query string` parameter in the Home module, all of which are accessible through `index.php`. Recommendations: For vtiger CRM version 5.0.4, consider disabling access to the vulnerable parameters `parenttab`, `user password`, and `query string` in their respective modules until a patch is available. Restrict access to the Products, Users, and Home modules to minimize the risk of exploitation. Avoid using the `parenttab`, `user password`, and `query string` parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.