Luis Noriega

**Name of the Vulnerable Software and Affected Versions** Sentrifugo version 3.2 **Description** The issue allows for Stored Cross-Site Scripting (XSS) by inserting a payload within the `X-Forwarded-For` HTTP header during the login process. When an administrator views logs, the payload is executed. This affects products that are no longer supported by the maintainer. **Recommendations** For Sentrifugo version 3.2, as the product is no longer supported by the maintainer, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SuiteCRM version 7.11.13 **Description** The issue is related to stored Cross-Site Scripting (XSS) in the Documents preview functionality. This could allow remote authenticated attackers to inject arbitrary web script or HTML. **Recommendations** For SuiteCRM version 7.11.13, consider disabling the Documents preview functionality until a patch is available to prevent exploitation. Restrict access to the Documents module to minimize the risk of arbitrary web script or HTML injection.

**Name of the Vulnerable Software and Affected Versions** SuiteCRM versions prior to 7.11.14 **Description** The issue is related to an Open Redirect in the Documents module of SuiteCRM, which can be exploited via a crafted SVG document. **Recommendations** For versions prior to 7.11.14, update to version 7.11.14 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SuiteCRM versions prior to 7.11.14 **Description** The issue allows for CSV Injection via registration fields in the Accounts, Contacts, Opportunities, and Leads modules. This occurs due to mishandling of these fields during a Download Import File Template operation. **Recommendations** For versions prior to 7.11.14, update to version 7.11.14 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SuiteCRM versions prior to 7.11.17 **Description** The issue allows for remote code execution via the system settings Log File Name setting. In certain circumstances involving admin account takeover, the `logger file name` can refer to an attacker-controlled .php file under the web root. **Recommendations** For versions prior to 7.11.17, update to version 7.11.17 or later to resolve the issue. As a temporary workaround, consider restricting access to the system settings Log File Name setting to prevent admin account takeover and minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Dolibarr version 11.0.4 **Description** The issue concerns multiple stored Cross-Site Scripting (XSS) vulnerabilities. These could allow remote authenticated attackers to inject arbitrary web script or HTML. This can be done via several API endpoints, including "ticket/card.php?action=create" with the `subject`, `message`, or `address` parameter, "adherents/card.php" with the `societe` or `address` parameter, "product/card.php" with the `label` or `customcode` parameter, or "societe/card.php" with the `alias` or `barcode` parameter. **Recommendations** For Dolibarr version 11.0.4, update to a version that includes a fix for these stored XSS vulnerabilities. As a temporary workaround, consider restricting access to the affected API endpoints, such as "ticket/card.php?action=create", "adherents/card.php", "product/card.php", and "societe/card.php", to minimize the risk of exploitation. Additionally, limit the use of vulnerable parameters like `subject`, `message`, `address`, `societe`, `label`, `customcode`, `alias`, and `barcode` in these endpoints until a patch is available.