Mariotesoro

**Name of the Vulnerable Software and Affected Versions** SpagoBI version 3.5.1 **Description** A Cross-Site Request Forgery (CSRF) issue has been found in the user administration panel. An authenticated user can lead another user into executing unwanted actions inside the application they are logged in, such as adding, editing, or deleting users. **Recommendations** For SpagoBI version 3.5.1, consider disabling access to the user administration panel until a patch is available to prevent potential exploitation of the CSRF issue. Restrict access to sensitive functions like adding, editing, or deleting users to minimize the risk of unwanted actions being executed.

**Name of the Vulnerable Software and Affected Versions** SpagoBI version 3.5.1 **Description** The issue concerns multiple Stored Cross-Site Scripting (XSS) vulnerabilities found in the create/edit forms of the worksheet designer function. This allows for the potential execution of malicious scripts, impacting the security of the application. **Recommendations** For SpagoBI version 3.5.1, consider disabling the create/edit forms of the worksheet designer function until a patch is available to mitigate the risk of Stored Cross-Site Scripting (XSS) attacks. Restrict access to these forms to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SpagoBI version 3.5.1 **Description** The issue is related to the script input feature of SpagoBI, which allows arbitrary code execution. This is due to the lack of measures to neutralize special elements used in the command input field. Exploitation of this issue can allow a remote attacker to execute arbitrary code by injecting a specially crafted Groovy script. **Recommendations** For SpagoBI version 3.5.1, consider disabling the script input feature until a patch is available to prevent arbitrary code execution. Restrict access to the Groovy script execution functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Kanboard versions prior to 1.2.41 Description: Kanboard is project management software that focuses on the Kanban methodology. HTML can be injected and stored into the application settings section. The fields `application language`, `application date format`, `application timezone`, and `application time format` allow arbitrary user input which is reflected. This issue can become a cross-site scripting (XSS) vulnerability if the user input is JavaScript code that bypasses Content Security Policy (CSP). Recommendations: For versions prior to 1.2.41, update to version 1.2.41 to resolve the issue. As a temporary workaround, consider restricting user input in the `application language`, `application date format`, `application timezone`, and `application time format` fields to prevent arbitrary HTML injection.

**Name of the Vulnerable Software and Affected Versions** Proactive Risk Manager version 9.1.1.0 **Description** The issue concerns multiple Cross-Site Scripting (XSS) vulnerabilities. These vulnerabilities are found in the add/edit form fields, specifically at URLs starting with the subpaths: "/ar/config/configuation/" and "/ar/config/risk-strategy-control/". **Recommendations** For Proactive Risk Manager version 9.1.1.0, consider restricting access to the affected form fields and URLs starting with "/ar/config/configuation/" and "/ar/config/risk-strategy-control/" until a fix is available. As a temporary workaround, avoid using the add/edit functionality in these areas to minimize the risk of exploitation.