Mariusz Poplawski

**Name of the Vulnerable Software and Affected Versions** ExpressionEngine versions prior to 5.3.2 **Description** The issue allows remote attackers to upload and execute arbitrary code in a .php file. This can be achieved via Compose Msg, Add attachment, and Save As Draft actions, exploiting the ability to bypass MIME type and file-extension checks during file uploads. Attackers with low privileges, such as members, can upload malicious files. The vulnerability enables direct access to uploaded files, bypassing short aliases. Exploitation requires the ability to send and compose messages, at least. **Recommendations** For versions prior to 5.3.2, update to version 5.3.2 or later to resolve the issue. As a temporary workaround, consider disabling the file upload feature for members or restricting access to the Compose Msg, Add attachment, and Save As Draft actions until the update is applied. Additionally, restrict registration and forum access to prevent the creation of new members with the default group id of 5.

**Name of the Vulnerable Software and Affected Versions** Bitrix24 versions prior to 20.0.0 **Description** The issue concerns a security problem where an attacker can execute malicious scripts on a user's browser, potentially leading to unauthorized actions. This is achieved by exploiting the `items[ITEMS][ID]` parameter in the "components/bitrix/mobileapp.list/ajax.php/" API endpoint. **Recommendations** For versions prior to 20.0.0, consider restricting access to the "components/bitrix/mobileapp.list/ajax.php/" API endpoint until a patch is available. As a temporary workaround, avoid using the `items[ITEMS][ID]` parameter in the affected endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Bitrix24 versions prior to 20.0.976 **Description** The issue allows for Server-Side Request Forgery (SSRF) via an intranet IP address in the "services/main/ajax.php?action=attachUrlPreview" API endpoint, specifically through the `url` parameter. This occurs when the destination URL hosts an HTML document containing a '<meta name="og:image" content="' tag followed by an intranet URL. **Recommendations** For Bitrix24 versions prior to 20.0.976, as a temporary workaround, consider restricting access to the "services/main/ajax.php?action=attachUrlPreview" API endpoint until a patch is available. Avoid using the `url` parameter in this endpoint with potentially malicious URLs.

**Name of the Vulnerable Software and Affected Versions** acf-to-rest-api plugin through 3.1.0 for WordPress **Description** The issue allows an insecure direct object reference via permalinks manipulation. This can be demonstrated by a "wp-json/acf/v3/options/" request that reads sensitive information in the `wp options` table, such as the `login` and `pass` values. **Recommendations** For acf-to-rest-api plugin through 3.1.0, update to a version later than 3.1.0 to resolve the issue. As a temporary workaround, consider restricting access to the "wp-json/acf/v3/options/" endpoint to minimize the risk of exploitation. Avoid using the `wp options` table in the affected API endpoint until the issue is resolved.