Joelister

Name of the Vulnerable Software and Affected Versions: MyBB version 1.8.20 Description: The issue allows remote attackers to inject arbitrary web script or HTML via the `Description` field in the Add New Forum page. This can be achieved by doing an authenticated POST HTTP request to "/Upload/admin/index.php?module=forum-management&action=add". Recommendations: For MyBB version 1.8.20, as a temporary workaround, consider restricting access to the "Add New Forum" page and the `/Upload/admin/index.php?module=forum-management&action=add` endpoint until a patch is available. Avoid using the `Description` field in the affected page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: MyBB version 1.8.20 Description: The issue allows remote attackers to inject arbitrary web script or HTML via the `Title` field in the Add New Forum page. This can be achieved by doing an authenticated POST HTTP request to '/Upload/admin/index.php?module=forum-management&action=add'. Recommendations: For MyBB version 1.8.20, as a temporary workaround, consider restricting access to the 'Title' field in the Add New Forum page until a patch is available. Avoid using the `Title` field in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: qdPM version 9.1 Description: A Cross Site Scripting (XSS) issue exists in the Heading field found in the Login Page under the General menu. This can be exploited via a crafted website name by doing an authenticated POST HTTP request to "/qdPM 9.1/index.php/configuration". Recommendations: For qdPM version 9.1, as a temporary workaround, consider restricting access to the Heading field in the Login Page until a patch is available. Avoid using crafted website names in the Heading field to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Rukovoditel version 2.4.1 Description: A stored cross-site scripting (XSS) issue exists in the Copyright Text field, located in the Application page under the Configuration menu. This allows remote attackers to inject arbitrary web script or HTML via a crafted website name by sending an authenticated POST HTTP request to "/rukovoditel 2.4.1/index.php?module=configuration/save&redirect to=configuration/application". Recommendations: For Rukovoditel version 2.4.1, consider disabling the Copyright Text field in the Application page under the Configuration menu until a patch is available. Restrict access to the `/rukovoditel 2.4.1/index.php?module=configuration/save&redirect to=configuration/application` endpoint to minimize the risk of exploitation. Avoid using crafted website names that could inject arbitrary web script or HTML. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Hucart CMS version 5.7.4 Description: The issue is related to a SQL Injection vulnerability. It is found in the basic information field, specifically in the avatar `usd image` field. Recommendations: For Hucart CMS version 5.7.4, consider restricting access to the `usd image` field in the avatar section to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Hucart CMS version 5.7.4 Description: The issue is related to a SQL Injection vulnerability. It can be exploited via the purchase enquiry field found in the Message con content field. Recommendations: For Hucart CMS version 5.7.4, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Rukovoditel version 2.4.1 Description: A stored cross-site scripting (XSS) issue exists in the Name of application field on the General Configuration page, allowing remote attackers to inject arbitrary web script or HTML via a crafted website name by sending an authenticated POST HTTP request to the `/install/index.php` endpoint. The `name` variable is vulnerable to injection, enabling attackers to execute malicious scripts. Recommendations: For Rukovoditel version 2.4.1, as a temporary workaround, consider restricting access to the General Configuration page until a patch is available. Avoid using the `/install/index.php` endpoint with crafted website names to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: BigTree-CMS version 4.4.3 Description: A Cross Site Scripting (XSS) issue exists in the tag name field found in the Tags page under the General menu. This can be exploited via a crafted website name by doing an authenticated POST HTTP request to the "admin/tags/create" endpoint. Recommendations: For BigTree-CMS version 4.4.3, as a temporary workaround, consider restricting access to the tag name field in the Tags page until a patch is available. Avoid using the tag name field in the affected "admin/tags/create" endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cacti version 1.2.13 **Description** A cross-site scripting (XSS) issue exists due to improper escaping of error messages during template import preview in the `xml path` field. This occurs in the templates import.php file. **Recommendations** For Cacti version 1.2.13, consider disabling the template import preview feature until a patch is available to prevent exploitation of the XSS vulnerability. Restrict access to the templates import.php file to minimize the risk of exploitation. Avoid using the `xml path` field in the template import preview until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.