Fewwords

**Name of the Vulnerable Software and Affected Versions** SimpleMachines SMF version 2.1.4 **Description** A problem was found in SimpleMachines SMF and classified as problematic. It affects some unknown functionality of the file ManageAttachments.php. The manipulation of the `Notice` argument leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure. **Recommendations** For SimpleMachines SMF version 2.1.4, as a temporary workaround, consider restricting access to the `ManageAttachments.php` file until a patch is available. Avoid using the `Notice` argument in the affected functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SimpleMachines SMF version 2.1.4 **Description** A vulnerability was found in SimpleMachines SMF, affecting an unknown part of the file ManageNews.php. The manipulation of the `subject`/`message` argument leads to cross-site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure. **Recommendations** For SimpleMachines SMF version 2.1.4, consider disabling the manipulation of the `subject`/`message` argument in the ManageNews.php file until a patch is available. Restrict access to the ManageNews.php file to minimize the risk of exploitation. Avoid using the `subject`/`message` argument in the affected file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Microweber version 2.0.19 Description: A problem was found in the Settings Handler component, specifically in the file userfiles/modules/settings/group/website group/index.php. The issue allows for cross-site scripting by manipulating the `group` argument. This can be initiated remotely. Recommendations: For Microweber version 2.0.19, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SimpleMachines SMF version 2.1.4 **Description** A vulnerability has been found in the User Alert Read Status Handler component, specifically in the file /index.php?action=profile;u=2;area=showalerts;do=read. The manipulation of the `aid` argument leads to improper control of resource identifiers. This issue can be exploited remotely. **Recommendations** For SimpleMachines SMF version 2.1.4, as a temporary workaround, consider restricting access to the /index.php?action=profile;u=2;area=showalerts;do=read endpoint until a patch is available. Avoid manipulating the `aid` argument in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SimpleMachines SMF version 2.1.4 **Description** A critical issue was found in the Delete User Handler component, specifically in the file /index.php?action=profile;u=2;area=showalerts;do=remove. The manipulation of the `aid` argument leads to improper control of resource identifiers, allowing for remote attacks. The exploit has been publicly disclosed and may be used, potentially resulting in unauthorized access and system compromise. **Recommendations** For SimpleMachines SMF version 2.1.4, patch immediately to prevent exploitation. Additionally, monitor for exploit attempts to minimize the risk of unauthorized access and system compromise. As a temporary workaround, consider restricting access to the Delete User Handler component or disabling the manipulation of the `aid` argument until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** SP Project & Document Manager WordPress plugin versions 4.71 and earlier **Description** The issue is related to missing validation in the upload function of the plugin, allowing a user to manipulate the `user id` variable to make it appear that a file was uploaded by another user. This can lead to unauthorized access. **Recommendations** For SP Project & Document Manager WordPress plugin versions 4.71 and earlier: Update the plugin to the latest patched version immediately. As a temporary workaround, consider restricting access to the upload function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The SP Project & Document Manager WordPress plugin versions 4.71 and earlier **Description** The issue allows a logged-in user to view and download files belonging to another user due to a lack of proper access controllers. **Recommendations** For versions 4.71 and earlier, update to a version that includes proper access controls to prevent unauthorized file access. As a temporary workaround, consider restricting file access permissions to minimize the risk of exploitation.