Hansmach1Ne

**Name of the Vulnerable Software and Affected Versions** Cuppa CMS version 1.0 **Description** The issue is related to a local file inclusion (LFI) vulnerability. It affects the component `/templates/default/html/windows/right.php`. **Recommendations** For Cuppa CMS version 1.0, consider restricting access to the `/templates/default/html/windows/right.php` component until a patch is available. As a temporary workaround, avoid using the vulnerable component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 2.9.1 **Description** GLPI is an open source IT Asset Management, issue tracking system and service desk system. The GLPI addressing plugin suffers from authenticated Remote Code Execution, allowing access to the server's underlying operating system using command injection abuse of functionality. **Recommendations** For versions prior to 2.9.1, upgrade to version 2.9.1 or later. As a temporary workaround, consider disabling the addressing plugin until a patch is available.

Name of the Vulnerable Software and Affected Versions: GLPI versions prior to 2.6.1 Description: The issue is related to a path traversal vulnerability in GLPI instances with the barcode plugin installed. This vulnerability was patched in version 2.6.1. Recommendations: For versions prior to 2.6.1, update to version 2.6.1 to resolve the issue. As a temporary workaround, consider deleting the `front/send.php` file.

Name of the Vulnerable Software and Affected Versions: OpenCATS versions 0.9.5-3 and earlier Description: The issue arises from the unsafe deserialization of requests to "index.php?m=activity", leading to remote code execution. This occurs because lib/DataGrid.php calls unserialize for the `activity:ActivityDataGrid` parameter. The PHP object injection exploit chain can leverage an destruct magic method in guzzlehttp. Recommendations: For OpenCATS versions 0.9.5-3 and earlier, consider disabling the `unserialize` function call in lib/DataGrid.php for the `activity:ActivityDataGrid` parameter until a patch is available. Restrict access to the "index.php?m=activity" endpoint to minimize the risk of exploitation. Avoid using the `activity:ActivityDataGrid` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: OpenCATS versions 0.9.5-3 and earlier Description: The issue concerns multiple Cross-site Scripting (XSS) problems. Cross-site Scripting is a type of security vulnerability that allows an attacker to inject malicious scripts into a website, potentially leading to unauthorized access or control of user sessions. Recommendations: For OpenCATS versions 0.9.5-3 and earlier, at the moment, there is no information about a newer version that contains a fix for this issue.