Jürgen Zöller

**Name of the Vulnerable Software and Affected Versions** CI-Out-of-Office Manager versions through 6.0.0.77 **Description** The issue concerns the use of a hard-coded cryptographic key in the software. This could potentially allow unauthorized access or decryption of sensitive data. **Recommendations** For versions through 6.0.0.77, consider updating to a version that does not use a hard-coded cryptographic key, if available. As a temporary workaround, restrict access to sensitive data handled by the CI-Out-of-Office Manager to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** COINS Construction Cloud version 11.12 **Description** An issue was discovered due to logical flaws in the human resources interface, making it vulnerable to privilege escalation by HR personnel. **Recommendations** For COINS Construction Cloud version 11.12, consider restricting access to the human resources interface to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** COINS Construction Cloud version 11.12 **Description** The issue is related to insufficient input neutralization, making it vulnerable to denial of service attacks via forced server crashes. **Recommendations** For COINS Construction Cloud version 11.12, consider implementing proper input validation and neutralization to prevent forced server crashes. As a temporary workaround, restrict access to sensitive inputs that could cause server crashes until a patch is available.

**Name of the Vulnerable Software and Affected Versions** COINS Construction Cloud version 11.12 **Description** The issue is related to improper input neutralization, making it vulnerable to reflected cross-site scripting (XSS) via malicious links. This affects the search window and activity view window. **Recommendations** For COINS Construction Cloud version 11.12, update to a version that properly neutralizes input to prevent reflected cross-site scripting (XSS) attacks. As a temporary workaround, consider restricting access to the search window and activity view window to minimize the risk of exploitation. Avoid using malicious links that could trigger the XSS vulnerability until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** COINS Construction Cloud version 11.12 **Description** An issue was discovered due to improper validation of user-controlled HTTP headers, allowing attackers to cause the system to send password-reset e-mails pointing to arbitrary websites. **Recommendations** For COINS Construction Cloud version 11.12, consider temporarily restricting the password-reset functionality until a patch is available to prevent exploitation. Additionally, review and improve the validation of user-controlled HTTP headers to prevent similar issues in the future. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** COINS Construction Cloud version 11.12 **Description** An issue was discovered in the application where JavaScript code is passed as a URL parameter in several locations. This allows attackers to alter the code and cause malicious behavior, making the application vulnerable to reflected XSS via malicious URLs. **Recommendations** For COINS Construction Cloud version 11.12, consider restricting access to URL parameters that accept JavaScript code to minimize the risk of exploitation. As a temporary workaround, avoid using URLs with JavaScript code until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Strapi versions prior to 3.6.1 is not mentioned, however, the version 3.6.0 is mentioned as vulnerable, so we can say Strapi versions 3.6.0 and earlier Description: The admin panel in Strapi allows users to change their own password without entering the current password. An attacker who gains access to a valid session can exploit this to take over an account by changing the password. Recommendations: For Strapi versions 3.6.0 and earlier, update to version 3.6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin panel to minimize the risk of exploitation.