Ivano Binetti

**Name of the Vulnerable Software and Affected Versions** Axous versions 1.1.1 and earlier **Description** Multiple cross-site request forgery (CSRF) and cross-site scripting (XSS) issues allow remote attackers to hijack the authentication of administrators for requests. This can be done via various parameters to different PHP files, including `page title` to "admin/content pages edit.php", `category name[]` to "admin/products category.php", and multiple parameters to "admin/settings siteinfo.php", "admin/settings company.php", and "admin/settings email.php". **Recommendations** For Axous versions 1.1.1 and earlier, consider disabling access to the vulnerable PHP files, such as "admin/administrators add.php", "admin/content pages edit.php", "admin/products category.php", "admin/settings siteinfo.php", "admin/settings company.php", and "admin/settings email.php", until a patch is available. Restrict the use of vulnerable parameters, including `page title`, `category name[]`, `site name`, `seo title`, `meta keywords`, `company name`, `address1`, `address2`, `city`, `state`, `country`, `author first name`, `author last name`, `author email`, `contact first name`, `contact last name`, `contact email`, `general email`, `general phone`, `general fax`, `sales email`, `sales phone`, `support email`, `support phone`, `system email`, `sender name`, `smtp server`, `smtp username`, `smtp password`, and `order notice email`, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SyndeoCMS versions 3.0 and earlier **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators for requests that add user accounts via a "save user" action. **Recommendations** For SyndeoCMS versions 3.0 and earlier, update to a version that includes a fix for this issue to prevent CSRF attacks.

**Name of the Vulnerable Software and Affected Versions** DFLabs PTK versions 1.0.5 and earlier **Description** A cross-site request forgery (CSRF) issue exists, allowing remote attackers to hijack the authentication of administrators or investigators for requests that trigger a logout. **Recommendations** For versions 1.0.5 and earlier, update to a version later than 1.0.5 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** D-Link DSL-2740B Gateway version EU 1.00 **Description** The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow remote attackers to hijack the authentication of administrators for specific requests. The affected requests include enabling or disabling Wireless MAC Address Filters via a `wlFltMode` action to "wlmacflt.cmd", enabling or disabling firewall protections via a request to "scdmz.cmd", and enabling or disabling remote management via a `save` action to "scsrvcntr.cmd". **Recommendations** For D-Link DSL-2740B Gateway version EU 1.00, consider disabling the `wlmacflt.cmd`, `scdmz.cmd`, and `scsrvcntr.cmd` commands until a patch is available to prevent exploitation of the CSRF vulnerabilities. Restrict access to these commands to minimize the risk of unauthorized changes to Wireless MAC Address Filters, firewall protections, and remote management settings. Avoid using the `wlFltMode` and `save` actions in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** RazorCMS versions 1.2.1 and earlier **Description** A cross-site request forgery issue allows remote attackers to hijack administrator authentication for requests that delete arbitrary web pages via a `showcats` action in the `admin/index.php` file. **Recommendations** For RazorCMS versions 1.2.1 and earlier, update to a version later than 1.2.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SocialCMS version 1.0.2 **Description** The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow remote attackers to hijack the authentication of administrators for specific requests. The requests in question are those that add administrator accounts via a "member new" action to "my admin/admin1 members.php" or modify the default site title via a "save" action to "my admin/admin1 configuration.php". **Recommendations** For SocialCMS version 1.0.2, as a temporary workaround, consider restricting access to the "my admin/admin1 members.php" and "my admin/admin1 configuration.php" files to minimize the risk of exploitation. Avoid using the "member new" and "save" actions in these files until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DSL-2640B Firmware version EU 4.00 **Description** A cross-site request forgery issue allows remote attackers to hijack administrator authentication for requests that change the administrator password via the `sysPassword` parameter. **Recommendations** For D-Link DSL-2640B Firmware version EU 4.00, avoid using the `sysPassword` parameter in the affected API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the administrator panel to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Plume CMS versions 1.2.4 and earlier **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators for requests that create News pages via a publish action. **Recommendations** For Plume CMS versions 1.2.4 and earlier, as a temporary workaround, consider restricting access to the manager/news.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FlexCMS versions 3.2.1 and earlier **Description** The issue allows remote attackers to hijack user authentication for requests that change account settings via a request to "index.php/profile-edit-save" or hijack administrator authentication for requests that add a new page via a request to "admin/pages-new-save". **Recommendations** For FlexCMS versions 3.2.1 and earlier, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the "index.php/profile-edit-save" and "admin/pages-new-save" API endpoints until a patch is available. Avoid using these endpoints in a way that could allow unauthorized changes to account settings or addition of new pages.

**Name of the Vulnerable Software and Affected Versions** Sitecom WLM-2501 **Description** A cross-site request forgery (CSRF) issue exists, allowing remote attackers to hijack administrator authentication for requests that change the router passphrase via the `pskValue` parameter in the goform/admin/formWlEncrypt endpoint. **Recommendations** For Sitecom WLM-2501, as a temporary workaround, consider restricting access to the goform/admin/formWlEncrypt endpoint until a patch is available. Avoid using the `pskValue` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WordPress versions 3.3.1 and earlier **Description** The issue is related to the `wp create nonce` function, which associates a nonce with a user account instead of a user session. This might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network. Attacks can be demonstrated against the "wp-admin/admin-ajax.php" and "wp-admin/user-new.php" scripts. The vendor reportedly disputes the significance of this issue, stating that `wp create nonce` operates as intended. **Recommendations** For WordPress versions 3.3.1 and earlier, consider updating to a newer version to mitigate the risk of CSRF attacks. As a temporary workaround, restrict access to the "wp-admin/admin-ajax.php" and "wp-admin/user-new.php" scripts to minimize the risk of exploitation. Avoid using the `wp create nonce` function until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** SyndeoCMS versions 3.0.01 and earlier **Description** The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote authenticated users to inject arbitrary web script or HTML via the `email` parameter in an edit user configuration action. **Recommendations** For SyndeoCMS versions 3.0.01 and earlier, consider restricting access to the edit user configuration action until a patch is available. As a temporary workaround, avoid using the `email` parameter in the affected configuration action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CMS Made Simple versions 1.10.3 and earlier **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `email` parameter in the Edit User template. This is due to a vulnerability in the admin/edituser.php file. **Recommendations** For CMS Made Simple versions 1.10.3 and earlier, avoid using the `email` parameter in the Edit User template until a fix is available. As a temporary workaround, consider restricting access to the admin/edituser.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Plume CMS versions 1.2.4 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via the `u email` parameter (also known as the Authors Email field) or the `u realname` parameter (also known as the Authors Name field) in the manager/users.php file, or through the `c author` parameter (also known as the Author field) in an ADD A COMMENT section. **Recommendations** For Plume CMS versions 1.2.4 and earlier, consider disabling the manager/users.php file and the ADD A COMMENT section until a patch is available. Restrict access to the `u email`, `u realname`, and `c author` parameters to minimize the risk of exploitation. Avoid using these parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SocialCMS versions 1.0.2 and earlier **Description** A cross-site scripting (XSS) issue allows remote authenticated users to inject arbitrary web script or HTML via the `TR title` parameter in an edit action. **Recommendations** For SocialCMS versions 1.0.2 and earlier, avoid using the `TR title` parameter in the affected edit action until a fix is available. As a temporary workaround, consider restricting access to the my admin/admin1 list pages.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Drupal versions 7.12 and earlier **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of arbitrary users for requests that end a session via the "user/logout" URI. The vendor disputes the significance of this issue, considering the security benefit against platform complexity and performance impact, and concludes that a change to the logout behavior is not planned because for most sites it is not worth the trade-off. **Recommendations** For versions 7.12 and earlier, consider disabling the logout functionality via the "user/logout" URI as a temporary workaround to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Webfolio CMS versions 1.1.4 and earlier **Description** The issue allows remote attackers to hijack the authentication of administrators for requests. This can be done through "admin/users/add" or "admin/pages/edit/web page name" API endpoints. Specifically, the attack can add an administrator via an `add` action or modify a web page via a `save` action. **Recommendations** For Webfolio CMS versions 1.1.4 and earlier, update to a version later than 1.1.4 to resolve the issue. As a temporary workaround, consider restricting access to the "admin/users/add" and "admin/pages/edit/web page name" API endpoints to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Contao versions 2.11.0 and earlier **Description** The issue allows remote attackers to hijack the authentication of administrators for requests, enabling them to perform unauthorized actions such as deleting users, news, or newsletters. This is achieved through multiple cross-site request forgery (CSRF) vulnerabilities in the main.php file. **Recommendations** For Contao versions 2.11.0 and earlier, as a temporary workaround, consider restricting access to the delete actions in the user, news, and newsletters modules until a patch is available. Avoid using these modules for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.