Javier Olmedo

**Name of the Vulnerable Software and Affected Versions** XMLBlueprint versions prior to 16.191112 **Description** The issue is related to XML External Entity Injection, allowing for Arbitrary File Read when an XML file is validated. This is due to errors in processing .dtd files. The attack vector involves a specially crafted XML payload. Exploitation of this issue may allow a remote attacker to cause a denial of service or read arbitrary files by tricking a user into opening a specially crafted XML file. **Recommendations** For XMLBlueprint versions prior to 16.191112, as a temporary workaround, consider disabling the XML Validate function until a patch is available. Restrict access to the XML validation component to minimize the risk of exploitation. Avoid using specially crafted XML files that could trigger the vulnerability until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Easy XML Editor versions prior to 1.7.9 **Description** The issue is related to XML External Entity Injection in the XML Parsing component, allowing for Arbitrary File Read and Denial of Service (DoS) by consuming resources. This can be achieved through a specially crafted XML payload. The attack vector involves exploiting errors in XML request processing, potentially enabling a remote attacker to cause application downtime or read arbitrary files in the system by tricking a user into opening a specially formed XML file. **Recommendations** For Easy XML Editor versions prior to 1.7.9, update to version 1.7.9 or later to resolve the issue. As a temporary workaround, consider restricting the use of the XML Parsing component until a patch is available. Avoid using specially crafted XML payloads in the affected XML Parsing component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Rukovoditel versions prior to 2.4.1 **Description** The issue allows for XSS. **Recommendations** For versions prior to 2.4.1, update to version 2.4.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Artica Integria IMS version 5.0.83 **Description** The issue allows for CSRF in the "godmode/usuarios/lista usuarios" API endpoint, resulting in the ability to delete an arbitrary user when the `user id` is known. **Recommendations** For Artica Integria IMS version 5.0.83, as a temporary workaround, consider restricting access to the "godmode/usuarios/lista usuarios" API endpoint to minimize the risk of exploitation. Avoid using the `user id` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Artica Integria IMS version 5.0.83 **Description** The issue allows for XSS via the `search string` parameter. **Recommendations** For Artica Integria IMS version 5.0.83, avoid using the `search string` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** AbiSoft Ticketly version 1.0 **Description** The issue allows remote attackers to create administrator accounts. This can be achieved via an action/add user.php POST request, specifically exploiting the `add user` functionality. **Recommendations** For AbiSoft Ticketly version 1.0, consider disabling the `add user` functionality in action/add user.php until a patch is available to prevent the creation of unauthorized administrator accounts.

**Name of the Vulnerable Software and Affected Versions** AbiSoft Ticketly version 1.0 **Description** The issue affects AbiSoft Ticketly through multiple SQL Injection vulnerabilities. These vulnerabilities are found in the parameters `name`, `category id`, and `description` in the "action/addproject.php" endpoint, `kind id`, `priority id`, `project id`, `status id`, and `title` in the "action/addticket.php" endpoint, and `kind id` and `status id` in the "reports.php" endpoint. **Recommendations** For AbiSoft Ticketly version 1.0, as a temporary workaround, consider restricting access to the vulnerable endpoints "action/addproject.php", "action/addticket.php", and "reports.php" to minimize the risk of exploitation. Avoid using the parameters `name`, `category id`, `description`, `kind id`, `priority id`, `project id`, `status id`, and `title` in the affected endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LibreNMS versions prior to 1.44 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `dashboard name` parameter in the "/ajax form.php" API endpoint, related to files such as "html/includes/forms/add-dashboard.inc.php", "html/includes/forms/delete-dashboard.inc.php", and "html/includes/forms/edit-dashboard.inc.php". **Recommendations** For versions prior to 1.44, update to version 1.44 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/ajax form.php" endpoint or avoiding the use of the `dashboard name` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Jorani version 0.6.5 **Description** An issue allows a user without permissions to read and modify sensitive information from the database via the `startdate` or `enddate` parameter to leaves/validate. This is due to SQL Injection, which is error-based. **Recommendations** For Jorani version 0.6.5, avoid using the `startdate` or `enddate` parameter in the leaves/validate endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the database to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jorani version 0.6.5 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `language` parameter to the "session/language" API endpoint. This enables attackers to perform persistent cross-site scripting (XSS) attacks. **Recommendations** For Jorani version 0.6.5, as a temporary workaround, consider restricting access to the "session/language" API endpoint until a patch is available. Additionally, avoid using the `language` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Sentrifugo version 3.2 **Description** A SQL Injection issue was discovered in the software, specifically via the `deptid` parameter. **Recommendations** For Sentrifugo version 3.2, avoid using the `deptid` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Export Users to CSV plugin versions prior to 1.1.2 **Description** The issue allows CSV injection. **Recommendations** For Export Users to CSV plugin versions prior to 1.1.2, update to version 1.1.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mondula Multi Step Form plugin versions prior to 1.2.6 **Description** The issue allows for XSS exploitation via specific fields in the contact form, including `fw data [id][1]`, `fw data [id][2]`, `fw data [id][3]`, `fw data [id][4]`, or the `email` field. This can be exploited using an `fw send email` action to the "/wp-admin/admin-ajax.php" API endpoint. **Recommendations** For Mondula Multi Step Form plugin versions prior to 1.2.6, update to version 1.2.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the contact form fields `fw data [id][1]`, `fw data [id][2]`, `fw data [id][3]`, `fw data [id][4]`, and `email` to minimize the risk of exploitation. Avoid using the `fw send email` action to the "/wp-admin/admin-ajax.php" API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** All In One Favicon plugin version 4.6 **Description** The issue concerns multiple persistent cross-site scripting (XSS) problems. Remote attackers can inject arbitrary web script or HTML via specific text fields, including Apple-Text, GIF-Text, ICO-Text, PNG-Text, or JPG-Text. **Recommendations** For All In One Favicon plugin version 4.6, update to a version that addresses these XSS issues to prevent remote attackers from injecting arbitrary web script or HTML.