M4Lwhere

**Name of the Vulnerable Software and Affected Versions** Tenable Nessus (affected versions not specified) **Description** A stored XSS issue exists where an authenticated, remote attacker with administrator privileges on the Nessus application could alter Nessus proxy settings, leading to the execution of remote arbitrary scripts. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchInfo version 1.3.0 **Description** The issue allows attackers to achieve remote code execution through insecure uploads in the ChurchInfo application. This requires authenticated access to the application. Once authenticated, a user can upload attachments for emails without any limitations on file types, allowing for malicious PHP code to be uploaded and interpreted by the server. **Recommendations** For ChurchInfo version 1.3.0, consider restricting access to the `/tmp attach/` folder to prevent direct access to uploaded files, and implement file type validation to prevent uploading of malicious PHP code. As a temporary workaround, consider disabling the file upload feature for email attachments until a patch is available.