Longrifle0X

**Name of the Vulnerable Software and Affected Versions** Parallels H-Sphere version 3.3 Patch 1 **Description** The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow remote attackers to hijack the authentication of admins for specific requests, including adding group plans via "admin/group plans.html" and adding extra packages via "admin/extra packs/create extra pack.html". **Recommendations** For Parallels H-Sphere version 3.3 Patch 1, as a temporary workaround, consider restricting access to the "admin/group plans.html" and "admin/extra packs/create extra pack.html" endpoints until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Endian Firewall version 2.4 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to security breaches. This can be achieved via the `createrule` parameter to "dnat.cgi", the `addrule` parameter to "dansguardian.cgi", or the `PATH INFO` to "openvpn users.cgi". **Recommendations** For Endian Firewall version 2.4, consider disabling access to the "dnat.cgi", "dansguardian.cgi", and "openvpn users.cgi" scripts until a patch is available. Avoid using the `createrule` and `addrule` parameters in the affected API endpoints until the issue is resolved. Restrict access to the `PATH INFO` in "openvpn users.cgi" to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Alurian Prismotube PHP Video Script (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `id` parameter to the "index.php" endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OSQA version 3b **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the (1) url bar or (2) picture bar. **Recommendations** For OSQA version 3b, update to a version that includes a fix for the XSS vulnerabilities in the questions/ask functionality. As a temporary workaround, consider restricting user input in the url bar and picture bar to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Dolibarr CMS version 3.2.0 Alpha **Description** The issue allows remote attackers to read arbitrary files and possibly execute arbitrary code via a .. (dot dot) in the `file` parameter to "document.php" or `backtopage` parameter in a create action to "comm/action/fiche.php". **Recommendations** For Dolibarr CMS version 3.2.0 Alpha, consider restricting access to the "document.php" and "comm/action/fiche.php" files until a patch is available. As a temporary workaround, avoid using the `file` and `backtopage` parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** WPTouch plugin for WordPress (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `id` parameter in the `/wptouch/ajax.php` API endpoint. **Recommendations** For the affected version, consider restricting access to the `/wptouch/ajax.php` API endpoint until a patch is available. As a temporary workaround, avoid using the `id` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jetpack plugin for WordPress (affected versions not specified) **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `id` parameter in the modules/sharedaddy.php file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.