Howchen

**Name of the Vulnerable Software and Affected Versions** dotCMS versions prior to 5.0.2 **Description** The issue concerns open redirects. Specifically, it affects the `FORWARD URL` parameter in the html/common/forward js.jsp endpoint and the `hostname` parameter in the html/portlet/ext/common/page preview popup.jsp endpoint. **Recommendations** For versions prior to 5.0.2, update to version 5.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable endpoints, specifically the html/common/forward js.jsp and html/portlet/ext/common/page preview popup.jsp pages, to minimize the risk of exploitation. Avoid using the `FORWARD URL` and `hostname` parameters in the affected endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Monstra CMS version 3.0.4 **Description** The issue concerns an information leakage risk, where sensitive data such as PATH, DOCUMENT ROOT, and SERVER ADMIN may be exposed. This is related to the file libraries/Gelato/ErrorHandler/Resources/Views/Errors/exception.php. **Recommendations** For Monstra CMS version 3.0.4, update the libraries/Gelato/ErrorHandler/Resources/Views/Errors/exception.php file to prevent information leakage. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Monstra CMS version 3.0.4 **Description** The issue occurs when an individual attempts to register an account with a crafted `password` parameter to the "users/registration" endpoint. This is a distinct issue from previously identified vulnerabilities. **Recommendations** For Monstra CMS version 3.0.4, consider restricting access to the "users/registration" endpoint until a fix is available, and avoid using crafted password parameters to prevent potential exploitation.

**Name of the Vulnerable Software and Affected Versions** Monstra CMS version 3.0.4 **Description** The issue allows HTTP header injection in the `cfg` parameter of the plugins/captcha/crypt/cryptographp.php file. **Recommendations** For Monstra CMS version 3.0.4, consider restricting access to the vulnerable `cryptographp.php` file until a patch is available. Avoid using the `cfg` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** dotCMS version 5.0.1 **Description** The issue concerns a problem with the dotCMS software. It is reported that there is an XSS issue in the /html/portlet/ext/contentlet/image tools/index.jsp "fieldName" and "inode" parameters. **Recommendations** For dotCMS version 5.0.1, update to a version that includes a fix for this issue, as no specific workaround is provided in the available data.

**Name of the Vulnerable Software and Affected Versions** phpkaiyuancms PhpOpenSourceCMS (POSCMS) version 3.2.0 **Description** The issue allows an unauthenticated user to execute arbitrary SQL commands. This is achieved via the "diy/module/member/controllers/Api.php" file, specifically through the `ajax save draft` function, by manipulating the `dir` parameter. **Recommendations** For phpkaiyuancms PhpOpenSourceCMS (POSCMS) version 3.2.0, consider restricting access to the `ajax save draft` function in the Api.php file until a patch is available. As a temporary workaround, avoid using the `dir` parameter in the affected API endpoint.

**Name of the Vulnerable Software and Affected Versions** damiCMS version 6.0.1 **Description** An issue allows remote code execution via PHP code in a multipart/form-data POST to the "admin.php?s=/Tpl/Update.html" API endpoint. This can be used to update files, such as Web/Tpl/default/head.html. **Recommendations** For version 6.0.1, avoid using the `admin.php?s=/Tpl/Update.html` endpoint until a fix is available, and restrict access to file updates to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** damiCMS version 6.0.1 **Description** An issue was discovered where the software relies on the PHP `time()` function for cookies. This makes it possible to determine the cookie for an existing admin session via a certain number of guesses. **Recommendations** For damiCMS version 6.0.1, consider implementing a more secure method for generating cookies to prevent guessing attacks. As a temporary workaround, restrict access to admin sessions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** damiCMS version 6.0.1 **Description** An issue was discovered in damiCMS, where Directory Traversal is possible via '|' characters in the `s` parameter to "admin.php", as demonstrated by an "admin.php?s=Tpl/Add/id/c:|windows|win.ini" URI. **Recommendations** For damiCMS version 6.0.1, consider restricting access to the "admin.php" endpoint to minimize the risk of exploitation, and avoid using the `s` parameter with '|' characters until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.