Hibiki Moriyama

**Name of the Vulnerable Software and Affected Versions** Webmin versions prior to 1.970 Usermin versions prior to 1.820 **Description** A cross-site scripting issue exists due to inadequate protection of the webpage structure in the session login.cgi script of Webmin and Usermin. This can be exploited by a remote attacker to conduct cross-site scripting attacks using a specially crafted link, potentially allowing an arbitrary script to be executed on the user's web browser, altering webpages or disclosing sensitive information such as credentials. **Recommendations** For Webmin versions prior to 1.970, update to version 1.970 or later to resolve the issue. For Usermin versions prior to 1.820, update to version 1.820 or later to resolve the issue. As a temporary workaround, consider restricting access to the session login.cgi script until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Forminator versions prior to 1.15.4 **Description** The issue is related to a cross-site scripting vulnerability. If exploited, a remote attacker may obtain user information and alter the page contents on the user's web browser. The vulnerability is associated with the lack of protection measures for the web page structure, which could allow an attacker to gain unauthorized access to protected information and conduct cross-site scripting attacks. **Recommendations** For versions prior to 1.15.4, update to version 1.15.4 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive user information and monitoring web page contents for any unauthorized alterations.

**Name of the Vulnerable Software and Affected Versions** Movable Type plugin A-Form versions prior to 4.1.1 (for Movable Type 7 Series) Movable Type plugin A-Form versions prior to 3.9.1 (for Movable Type 6 Series) **Description** A cross-site scripting issue allows a remote unauthenticated attacker to inject an arbitrary script. **Recommendations** For Movable Type plugin A-Form versions prior to 4.1.1 (for Movable Type 7 Series), update to version 4.1.1 or later. For Movable Type plugin A-Form versions prior to 3.9.1 (for Movable Type 6 Series), update to version 3.9.1 or later.

**Name of the Vulnerable Software and Affected Versions** exceedone/exment versions 5.0.2 and earlier exceedone/exment versions 4.4.2 and earlier exceedone/laravel-admin versions 3.0.0 and earlier exceedone/laravel-admin versions 2.2.2 and earlier **Description** The issue is related to a SQL injection vulnerability that allows remote authenticated attackers to execute arbitrary SQL commands. This can potentially enable an attacker to access and manipulate the application's database. **Recommendations** For exceedone/exment versions 5.0.2 and earlier, update to a version later than 5.0.2 to resolve the issue. For exceedone/exment versions 4.4.2 and earlier, update to a version later than 4.4.2 to resolve the issue. For exceedone/laravel-admin versions 3.0.0 and earlier, update to a version later than 3.0.0 to resolve the issue. For exceedone/laravel-admin versions 2.2.2 and earlier, update to a version later than 2.2.2 to resolve the issue. As a temporary workaround, consider restricting access to the database to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** exceedone/exment versions 5.0.2 and earlier exceedone/exment versions 4.4.2 and earlier exceedone/laravel-admin versions 3.0.0 and earlier exceedone/laravel-admin versions 2.2.2 and earlier **Description** A reflected cross-site scripting issue allows a remote authenticated attacker to inject an arbitrary script. **Recommendations** For exceedone/exment versions 5.0.2 and earlier, update to a version later than 5.0.2 to resolve the issue. For exceedone/exment versions 4.4.2 and earlier, update to a version later than 4.4.2 to resolve the issue. For exceedone/laravel-admin versions 3.0.0 and earlier, update to a version later than 3.0.0 to resolve the issue. For exceedone/laravel-admin versions 2.2.2 and earlier, update to a version later than 2.2.2 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SHIRASAGI versions 1.0.0 through 1.14.2 SHIRASAGI version 1.15.0 **Description** A cross-site scripting issue allows a remote attacker to inject an arbitrary script via unspecified vectors. **Recommendations** For SHIRASAGI versions 1.0.0 through 1.14.2, update to a version that is not affected by this issue. For SHIRASAGI version 1.15.0, update to a version that is not affected by this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** a-blog cms versions prior to 2.8.75 a-blog cms versions prior to 2.9.40 a-blog cms versions prior to 2.10.44 a-blog cms versions prior to 2.11.42 a-blog cms versions prior to 3.0.1 **Description** The issue allows a remote authenticated attacker to obtain an arbitrary file on the server. This is due to a template injection vulnerability, which is caused by improper neutralization of special elements used in a template engine. **Recommendations** For versions prior to 2.8.75, update to version 2.8.75 or later. For versions prior to 2.9.40, update to version 2.9.40 or later. For versions prior to 2.10.44, update to version 2.10.44 or later. For versions prior to 2.11.42, update to version 2.11.42 or later. For versions prior to 3.0.1, update to version 3.0.1 or later.