Jasveer Singh

**Name of the Vulnerable Software and Affected Versions** MyBiz MyProcureNet version 5.0.0 **Description** A cross-site scripting (XSS) issue was found, allowing an attacker to inject malicious client-side scripting into the "ProxyPage.aspx" page. This scripting will be executed in the browser of users who visit the manipulated site. **Recommendations** For MyBiz MyProcureNet version 5.0.0, consider restricting access to the "ProxyPage.aspx" page until a fix is available. As a temporary workaround, avoid using the page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** MyBiz MyProcureNet version 5.0.0 **Description** An issue allows a malicious file to be uploaded to the webserver, enabling an attacker to upload a script and issue operating system commands. This occurs because the `HiddenFieldControlCustomWhiteListedExtensions` parameter can be adjusted by an attacker to add arbitrary extensions to the whitelist during upload, allowing malicious files to be uploaded and executed to take over the server. **Recommendations** For MyBiz MyProcureNet version 5.0.0, restrict access to the file upload feature and remove any custom extensions from the `HiddenFieldControlCustomWhiteListedExtensions` parameter to prevent malicious file uploads. Additionally, consider disabling the file upload feature until a fix is available to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** ClipBucket versions prior to 4.0.0 Release 4902 **Description** An issue exists where SQL injection vulnerabilities are present in several parameters. The affected parameters include the `channelId` parameter in the "actions/vote channel.php" endpoint, the `email` parameter in the "ajax/commonAjax.php" endpoint, and the `username` parameter in the "ajax/commonAjax.php" endpoint. **Recommendations** For ClipBucket versions prior to 4.0.0 Release 4902, consider updating to version 4.0.0 Release 4902 or later to resolve the issue. As a temporary workaround, restrict access to the "actions/vote channel.php", "ajax/commonAjax.php" endpoints to minimize the risk of exploitation. Avoid using the `channelId`, `email`, and `username` parameters in the affected endpoints until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: ClipBucket versions prior to 4.0.0 Release 4902 Description: The issue allows a remote attacker to upload malicious files to the server using the `name` parameter in the `/actions/beats uploader.php` or `/actions/photo uploader.php` API endpoints, or the `coverPhoto` parameter in the `edit account.php` endpoint. Recommendations: For ClipBucket versions prior to 4.0.0 Release 4902, update to version 4.0.0 Release 4902 or later to resolve the issue. As a temporary workaround, consider restricting access to the `beats uploader.php`, `photo uploader.php`, and `edit account.php` scripts to minimize the risk of exploitation. Avoid using the `name` and `coverPhoto` parameters in the affected API endpoints until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: ClipBucket versions prior to 4.0.0 Release 4902 Description: The issue is related to the lack of proper neutralization of special elements used in OS commands. This allows an attacker to inject any OS commands via shell metacharacters in the `file name` parameter to "/api/file uploader.php" or "/actions/file downloader.php" API endpoints. The exploitation of this issue may enable a remote attacker to execute arbitrary OS commands using the `file name` parameter. Recommendations: For ClipBucket versions prior to 4.0.0 Release 4902, consider disabling the "/api/file uploader.php" and "/actions/file downloader.php" API endpoints until a patch is available. Restrict access to these endpoints to minimize the risk of exploitation. Avoid using the `file name` parameter in the affected API endpoints until the issue is resolved.