Manhnho

**Name of the Vulnerable Software and Affected Versions** EquityPandit version 1.0 **Description** An insecure logging issue allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Attackers can use adb logcat to extract plaintext passwords logged during the forgot password function, exposing user account credentials. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JBMC DirectAdmin version 1.55 **Description** The issue allows for CSRF via the "/CMD ACCOUNT ADMIN" API endpoint to create a new admin account. **Recommendations** For version 1.55, consider disabling access to the "/CMD ACCOUNT ADMIN" API endpoint until a patch is available to prevent the creation of unauthorized admin accounts.

**Name of the Vulnerable Software and Affected Versions** perfSONAR Monitoring and Debugging Dashboard (MaDDash) version 2.0.2 **Description** An issue was discovered where a direct request to the "/etc/" directory provides a directory listing, potentially exposing sensitive information. **Recommendations** For perfSONAR Monitoring and Debugging Dashboard (MaDDash) version 2.0.2, consider restricting access to the "/etc/" directory to prevent directory listing. As a temporary workaround, restrict access to this directory until a patch is available.

**Name of the Vulnerable Software and Affected Versions** perfSONAR Monitoring and Debugging Dashboard (MaDDash) version 2.0.2 **Description** An issue was discovered where a direct request to "/style/" provides a directory listing, potentially exposing sensitive information. **Recommendations** For perfSONAR Monitoring and Debugging Dashboard (MaDDash) version 2.0.2, consider restricting access to the "/style/" directory to prevent directory listing.

**Name of the Vulnerable Software and Affected Versions** perfSONAR Monitoring and Debugging Dashboard (MaDDash) version 2.0.2 **Description** An issue was discovered where a direct request to the "/lib/" endpoint provides a directory listing, potentially exposing sensitive information. **Recommendations** For perfSONAR Monitoring and Debugging Dashboard (MaDDash) version 2.0.2, consider restricting access to the "/lib/" endpoint to prevent directory listing.

**Name of the Vulnerable Software and Affected Versions** perfSONAR Monitoring and Debugging Dashboard (MaDDash) version 2.0.2 **Description** An issue was discovered where a direct request to the "/images/" endpoint provides a directory listing, potentially exposing sensitive information. **Recommendations** For perfSONAR Monitoring and Debugging Dashboard (MaDDash) version 2.0.2, consider restricting access to the "/images/" endpoint to prevent directory listing.

**Name of the Vulnerable Software and Affected Versions** Olive Tree Ftp Server version 1.32 **Description** The issue concerns sensitive data being stored on the clipboard, specifically the `User password` field, which can be accessed using the Drozer post.capture.clipboard module. **Recommendations** For Olive Tree Ftp Server version 1.32, consider clearing the clipboard after use or implementing a feature to handle sensitive data securely to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** The Olive Tree Ftp Server application version 1.32 **Description** The issue concerns insecure data storage. Specifically, a `username` and `password` are stored in the `/data/data/com.theolivetree.ftpserver/shared prefs/com.theolivetree.ftpserver preferences.xml` file as the `prefUsername` and `prefUserpass` strings. **Recommendations** For The Olive Tree Ftp Server application version 1.32, consider removing or securely storing the `prefUsername` and `prefUserpass` strings from the shared preferences file to mitigate the risk of insecure data storage. As a temporary workaround, restrict access to the shared preferences file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Werewolf Online application version 0.8.8 **Description** The issue allows attackers to discover the Firebase token by reading logcat output. **Recommendations** For version 0.8.8, consider restricting access to logcat output to prevent unauthorized discovery of the Firebase token until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Tagregator plugin version 0.6 **Description** The issue is related to stored XSS via the title field in an Add New action. **Recommendations** For Tagregator plugin version 0.6, update to a version that fixes this issue, as using the vulnerable version may lead to exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: iScripts eSwap version 2.4 Description: The issue is related to Reflected XSS, which occurs via the `catid` parameter in the "catwiseproducts.php" file within the User Panel. Recommendations: For iScripts eSwap version 2.4, consider restricting access to the `catid` parameter in the "catwiseproducts.php" file to minimize the risk of exploitation. As a temporary workaround, avoid using the `catid` parameter in the affected area until a patch is available.

Name of the Vulnerable Software and Affected Versions: iScripts UberforX version 2.2 Description: The issue concerns a Stored XSS in the `manage settings` section of the Admin Panel. This occurs via a value field to the "/cms?section=manage settings&action=edit" API endpoint. Recommendations: For iScripts UberforX version 2.2, as a temporary workaround, consider restricting access to the `manage settings` section of the Admin Panel until a patch is available. Avoid using the value field in the affected API endpoint until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: iScripts UberforX version 2.2 Description: The issue concerns a CSRF flaw in the "manage settings" section of the Admin Panel. This can be exploited via the /cms?section=manage settings&action=edit URI. Recommendations: For iScripts UberforX version 2.2, consider implementing proper CSRF protection mechanisms, such as tokens, to prevent unauthorized modifications to settings in the Admin Panel. As a temporary workaround, restrict access to the /cms?section=manage settings&action=edit URI to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: iScripts SupportDesk version 4.3 Description: The issue is related to a security problem where an attacker can inject malicious code. Specifically, it involves the `txtinteligentsearch` parameter in the "admin/inteligentsearchresult.php" endpoint. Recommendations: For iScripts SupportDesk version 4.3, consider restricting access to the `txtinteligentsearch` parameter in the "admin/inteligentsearchresult.php" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: iScripts eSwap version 2.4 Description: The issue is related to a security problem where an attacker can inject malicious code. This is possible due to insufficient input validation in the `txtDate` parameter, which is part of the "registration settings.php" file in the Admin Panel. Recommendations: For iScripts eSwap version 2.4, ensure proper validation and sanitization of user input for the `txtDate` parameter in the "registration settings.php" file to prevent malicious code injection. As a temporary workaround, consider restricting access to the Admin Panel until a proper fix is applied.

Name of the Vulnerable Software and Affected Versions: iScripts eSwap version 2.4 Description: The issue is related to SQL injection via the `ddlFree` parameter in the "registration settings.php" file within the Admin Panel. Recommendations: For iScripts eSwap version 2.4, consider restricting access to the `ddlFree` parameter in the "registration settings.php" file to minimize the risk of exploitation. As a temporary workaround, avoid using the `ddlFree` parameter in the affected Admin Panel until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: iScripts SupportDesk version 4.3 Description: The issue is related to a security problem where an attacker can inject malicious code. The problem occurs due to the lack of proper input validation in the `txtinteligentsearch` parameter of the staff/inteligentsearchresult.php endpoint. Recommendations: For iScripts SupportDesk version 4.3, consider restricting access to the staff/inteligentsearchresult.php endpoint until a patch is available, and avoid using the `txtinteligentsearch` parameter in this endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: iScripts eSwap version 2.4 Description: The issue is related to a CSRF problem via the "registration settings.php" file in the Admin Panel. Recommendations: For iScripts eSwap version 2.4, consider restricting access to the "registration settings.php" file in the Admin Panel to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHP Scripts Mall Match Clone Script version 1.0.4 **Description** The issue concerns a problem where an attacker can inject malicious code via the search field. This is related to the "View Search By Id" screen, accessible through the searchbyid.php endpoint. **Recommendations** For PHP Scripts Mall Match Clone Script version 1.0.4, consider restricting access to the searchbyid.php endpoint until a fix is available, and avoid using the search field in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Iptanus WordPress File Upload plugin versions prior to 4.3.4 **Description** The issue is related to the mishandling of Settings attributes, which leads to a cross-site scripting (XSS) problem. **Recommendations** For versions prior to 4.3.4, update to version 4.3.4 or later to resolve the issue.