Jan Rude

**Name of the Vulnerable Software and Affected Versions** Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux versions 9.47x and below **Description** A cross-site scripting (XSS) issue was discovered. This type of issue occurs when an application includes user input in its output without proper validation or encoding, allowing an attacker to inject malicious scripts into the application. **Recommendations** For versions 9.47x and below, update to a version above 9.47x to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Syncovery versions 9.47x and below **Description** The issue is related to remote code execution via the `Job ExecuteBefore` and `Job ExecuteAfter` parameters at the "post profilesettings.php" endpoint. It is associated with a lack of data sanitization at the management level. Exploitation of this issue may allow a remote attacker to elevate their privileges. **Recommendations** For Syncovery versions 9.47x and below, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Syncovery versions 9.47x and below **Description** The issue is related to the component post applogin.php, which allows attackers to escalate privileges via creating crafted session tokens. This is associated with the possibility of decoding a session token of the backup tool Syncovery, potentially enabling a remote attacker to elevate their privileges. **Recommendations** For Syncovery versions 9.47x and below, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the post applogin.php component to minimize the risk of exploitation. Avoid using crafted session tokens in the affected component until the issue is resolved.