Joshua Provoste

**Name of the Vulnerable Software and Affected Versions** 1 Click WordPress Migration Plugin – 100% FREE for a limited time versions up to, and including, 2.1 **Description** The issue allows unauthenticated attackers to extract sensitive data, including usernames and their respective password hashes, during a short window of time in which the backup is in process. This is possible via the class-ocm-backup.php file. **Recommendations** For versions up to, and including, 2.1, consider disabling the backup process temporarily until a patch is available to prevent exploitation. Restrict access to the class-ocm-backup.php file to minimize the risk of sensitive information exposure.

**Name of the Vulnerable Software and Affected Versions** 1 Click WordPress Migration Plugin – 100% FREE for a limited time versions up to 2.1 **Description** The issue is related to Cross-Site Request Forgery. This is due to missing or incorrect nonce validation on the `cancel actions()` function. This makes it possible for unauthenticated attackers to cancel a triggered backup via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. **Recommendations** For versions up to 2.1, consider disabling the `cancel actions()` function until a patch is available to prevent exploitation. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid performing actions that could be triggered by a forged request until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Rapid Cache plugin for WordPress versions up to, and including, 1.2.3 **Description** The issue arises from the plugin storing HTTP headers in the cached data, making it possible for unauthenticated attackers to poison the cache with custom HTTP headers that may be unsanitized, leading to Cross-Site Scripting. This vulnerability can be exploited by attackers to inject malicious content into the cache, potentially affecting users who access the cached content. **Recommendations** For versions up to, and including, 1.2.3, update to a version later than 1.2.3 to resolve the issue. As a temporary workaround, consider restricting access to the cache or disabling the storage of HTTP headers in the cached data until a patch is available. Avoid using unsanitized HTTP headers in the cache to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Advanced File Manager plugin for WordPress versions up to and including 5.2.10 **Description** The issue arises from missing file type validation via the 'class fma connector.php' file, allowing authenticated attackers with Subscriber-level access or higher, and permissions granted by an Administrator, to upload arbitrary files on the affected site's server. This could potentially make remote code execution possible. The vulnerable parameter is the file type, which is not properly validated, making it possible to upload malicious files. **Recommendations** For versions up to and including 5.2.10, update to a version higher than 5.2.10 to resolve the issue. As a temporary workaround, consider restricting access to the 'class fma connector.php' file until a patch is available. Restrict permissions for uploading files to only necessary users to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CMS Made Simple version 2.2.13 **Description** The issue concerns a stored XSS vulnerability in the Filemanager component. This can be exploited via a .pxd file, as shown by sending `m1 files[]` to the "admin/moduleinterface.php" endpoint. **Recommendations** For CMS Made Simple version 2.2.13, consider disabling the Filemanager component until a patch is available to prevent potential exploitation. Restrict access to the "admin/moduleinterface.php" endpoint to minimize the risk of stored XSS attacks. Avoid using the `m1 files[]` variable in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CMS Made Simple version 2.2.13 **Description** The issue allows remote code execution via a specially crafted .php.jpegd JPEG file. This can be achieved by sending a file as application/octet-stream to the `admin/moduleinterface.php` endpoint, specifically using the `m1 files[]` parameter. The file does not need to be a valid JPEG, but it should contain PHP code. **Recommendations** For CMS Made Simple version 2.2.13, consider restricting access to the `admin/moduleinterface.php` endpoint to minimize the risk of exploitation, and avoid using the `m1 files[]` parameter until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Synaptive Medical ClearCanvas ImageServer version 3.0 Alpha **Description** The issue allows for XSS and HTML injection via the `UserName` parameter in the "Default.aspx" endpoint. **Recommendations** For Synaptive Medical ClearCanvas ImageServer version 3.0 Alpha, avoid using the `UserName` parameter in the Default.aspx endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the Default.aspx endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OutSystems Platform versions 10 through 11 **Description** The issue allows for CSRF attacks on ImageResourceDetail.aspx, potentially leading to content modifications and file uploads. It is noted that the product is self-hosted by the customer. However, the vendor disputes the existence of this issue, claiming it was reported without validation. **Recommendations** For OutSystems Platform versions 10 through 11, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CKFinder versions 2.6.2.1 and earlier CKFinder versions 3.x through 3.5.0 **Description** The issue arises from misleading information in the documentation of CKFinder, which may lead to the incorrect assumption that the application has built-in content sniffing protection. **Recommendations** For CKFinder versions 2.6.2.1 and earlier, update to a version later than 2.6.2.1. For CKFinder versions 3.x through 3.5.0, update to a version later than 3.5.0.

**Name of the Vulnerable Software and Affected Versions** CKFinder versions prior to 2.6.2.1 CKFinder for ASP versions prior to 2.6.2.1 CKFinder for ASP.NET versions prior to 2.6.2.1 CKFinder for ColdFusion versions prior to 2.6.2.1 CKFinder for PHP versions prior to 2.6.2.1 **Description** An issue was discovered that allows remote attackers to upload files without any extension, even if the application was configured to accept files only with a defined set of extensions, due to improper checks of file names. **Recommendations** For CKFinder versions prior to 2.6.2.1, update to version 2.6.2.1 or later to resolve the issue. For CKFinder for ASP versions prior to 2.6.2.1, update to version 2.6.2.1 or later to resolve the issue. For CKFinder for ASP.NET versions prior to 2.6.2.1, update to version 2.6.2.1 or later to resolve the issue. For CKFinder for ColdFusion versions prior to 2.6.2.1, update to version 2.6.2.1 or later to resolve the issue. For CKFinder for PHP versions prior to 2.6.2.1, update to version 2.6.2.1 or later to resolve the issue.