Hamed Kohi

**Name of the Vulnerable Software and Affected Versions** Apache Answer versions prior to 2.0.1 **Description** The unlisted question feature fails to enforce access restrictions on direct API endpoints. This allows authenticated users to discover and access unlisted questions, including their answers, comments, and revision history. **Recommendations** Upgrade to version 2.0.1.

**Name of the Vulnerable Software and Affected Versions** Webmin versions prior to 2.641 **Description** A stored cross-site scripting issue exists in the email template description field of the System and Server Status module. Low-privileged authenticated attackers can execute arbitrary commands by injecting unsanitized input into the 'save tmpl.cgi' endpoint, which is subsequently rendered without escaping in the 'list tmpls.cgi' endpoint. **Recommendations** Update to version 2.641 or later.

**Name of the Vulnerable Software and Affected Versions** Vvveb versions prior to 1.0.8.2 **Description** An information disclosure issue exists in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. By accessing the cron controller without authentication, an attacker can obtain the exposed secret key from the response, which enables the triggering of scheduled task execution outside of the intended schedule. **Recommendations** Update to version 1.0.8.2 or later.

**Name of the Vulnerable Software and Affected Versions** Vvveb versions prior to 1.0.8.2 **Description** An unauthenticated reflected cross-site scripting issue exists in the visual editor preview renderer. Attackers can execute arbitrary JavaScript by manipulating the `r` query parameter and ` component ajax` POST parameter. This occurs because the `isEditor()` function does not perform session, role, or token verification, and the view handler injects raw HTML POST body content without sanitization. Attackers can use a malicious link or an auto-submitted form to execute controlled JavaScript within the context of the Vvveb origin. **Recommendations** Update to version 1.0.8.2 or later.

**Name of the Vulnerable Software and Affected Versions** Vvveb versions prior to 1.0.8.2 **Description** An information disclosure issue allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. By accessing the admin password-reset endpoint, a fatal error is triggered due to a missing namespace import. This exposes the absolute server file path, internal class namespaces, line numbers, and source code excerpts through the debug exception handler. **Recommendations** Update to version 1.0.8.2 or later.

**Name of the Vulnerable Software and Affected Versions** Vvveb versions prior to 1.0.8.2 **Description** A hard-coded credentials issue exists in the `docker-compose-apache.yaml` configuration. This allows unauthenticated attackers to access the bundled phpMyAdmin container using pre-configured database credentials. By connecting to the phpMyAdmin port, attackers can obtain unrestricted read and write access to the entire database, including administrator password hashes, customer personally identifiable information, and order data, which can lead to account takeover and data manipulation. **Recommendations** Update to version 1.0.8.2 or later.

**Name of the Vulnerable Software and Affected Versions** Vvveb versions prior to 1.0.8.2 **Description** The admin code editor allows authenticated users with low privileges, such as editor, author, contributor, or site admin roles, to execute arbitrary code. This is possible due to insufficient file extension restrictions, enabling attackers to write a malicious `.htaccess` file to map arbitrary extensions to the PHP handler. Subsequently, PHP code can be uploaded using those extensions to achieve remote code execution when the file is accessed via HTTP. **Recommendations** Update to version 1.0.8.2 or later.

**Name of the Vulnerable Software and Affected Versions** Vvveb versions prior to 1.0.8.1 **Description** Authenticated users with media upload and rename permissions can execute arbitrary JavaScript by bypassing MIME type validation and renaming uploaded files to executable extensions. This is achieved by prepending a GIF89a header to HTML/JavaScript payloads to bypass upload validation and then renaming the file to a '.html' extension. This allows malicious scripts to execute in an administrator's browser session, potentially leading to the creation of backdoor accounts and the upload of malicious plugins for remote code execution. **Recommendations** Update to version 1.0.8.1 or later.

**Name of the Vulnerable Software and Affected Versions** Vvveb versions prior to 1.0.8.1 **Description** An issue exists in the 'oEmbedProxy' action of the 'editor/editor' module where the `url` parameter is passed directly to the `getUrl()` function via curl without scheme or destination validation. Authenticated backend users can provide 'file://' URLs to read arbitrary files accessible by the web server process or 'http://' URLs targeting internal network addresses to probe internal services, with the response bodies returned to the caller. Server-Side Request Forgery (SSRF) is a flaw that allows an attacker to induce the server-side application to make requests to an unintended location. **Recommendations** Update to version 1.0.8.1 or later. As a temporary workaround, restrict access to the 'oEmbedProxy' action in the 'editor/editor' module.

Vvveb prior to 1.0.8.1 contains a privilege escalation vulnerability in the admin user profile save endpoint that allows authenticated users to modify privileged fields on their own profile. Attackers can inject role id=1 into profile save requests to escalate to Super Administrator privileges, enabling plugin upload functionality for remote code execution.

**Name of the Vulnerable Software and Affected Versions** TYPO3 versions 9.0.0 through 9.5.50 ELTS TYPO3 versions 10.0.0 through 10.4.49 ELTS TYPO3 versions 11.0.0 through 11.5.43 ELTS TYPO3 versions 12.0.0 through 12.4.30 LTS TYPO3 versions 13.0.0 through 13.4.11 LTS **Description** The file management module in TYPO3's backend user interface allows the upload of any file type, with the exception of those that are directly executable in a web server context. This lack of restriction means it is possible to upload files that may be considered potentially harmful, such as executable binaries or files with inconsistent file extensions and MIME types. Although such files are not directly executable through the web server, their presence can introduce indirect risks, such as third-party services flagging or blocking access to the website for end users if suspicious files are found. **Recommendations** Update to TYPO3 version 9.5.51 ELTS to fix the problem. Update to TYPO3 version 10.4.50 ELTS to fix the problem. Update to TYPO3 version 11.5.44 ELTS to fix the problem. Update to TYPO3 version 12.4.31 LTS to fix the problem. Update to TYPO3 version 13.4.12 LTS to fix the problem.

**Name of the Vulnerable Software and Affected Versions** Apache Answer versions through 1.4.2 Apache Answer versions prior to 1.4.5 **Description** This issue affects users who use externally referenced images. When a user accesses such an image, the provider of the image may obtain private information about the IP address of the accessing user. **Recommendations** For Apache Answer versions through 1.4.2, upgrade to version 1.4.5, which fixes the issue and allows administrators to set whether external content can be displayed. For Apache Answer versions prior to 1.4.5, upgrade to version 1.4.5 to resolve the issue.