Martino Spagnuolo

**Name of the Vulnerable Software and Affected Versions** HAProxy versions 2.6 through 3.3.5 **Description** The HTTP/3 parser fails to verify that the received body length aligns with a previously announced content-length when a stream is closed using a frame with an empty payload. This discrepancy can lead to desynchronization between the proxy and the backend server, potentially enabling request smuggling, which is a technique used to interfere with the way a website processes sequences of HTTP requests. **Recommendations** Update to version 3.3.6 or later.

**Name of the Vulnerable Software and Affected Versions** MailerPress versions prior to 1.4.3 **Description** A Server-Side Request Forgery (SSRF) issue exists in MailerPress. This allows for Server Side Request Forgery. The vulnerability affects the `mailerpress` component. **Recommendations** Update MailerPress to a version later than 1.4.2.

**Name of the Vulnerable Software and Affected Versions** billingo Official Integration for Billingo versions through 4.2.5 **Description** A missing authorization flaw exists in billingo Official Integration for Billingo. This issue allows for privilege escalation. **Recommendations** Update billingo Official Integration for Billingo to a version later than 4.2.5.

**Name of the Vulnerable Software and Affected Versions** Templazee versions prior to and including 1.0.2 **Description** An authorization issue exists within Templazee that allows exploitation of incorrectly configured access control security levels. **Recommendations** Update Templazee to a version later than 1.0.2.

**Name of the Vulnerable Software and Affected Versions** Breeze Checkout versions through 1.4.0 **Description** A missing authorization flaw exists in Breeze Checkout. This issue allows exploitation of incorrectly configured access control security levels. **Recommendations** Update Breeze Checkout to a version later than 1.4.0.

**Name of the Vulnerable Software and Affected Versions** Email Attachment by Order Status & Products versions n/a through 1.0.1 **Description** The software contains a flaw related to improper input handling during web page generation, which allows for Reflected Cross-site Scripting (XSS). This issue impacts the Email Attachment by Order Status & Products application. The flaw could potentially allow an attacker to inject malicious scripts into web pages viewed by other users. The affected component is not specified. **Recommendations** Update Email Attachment by Order Status & Products to a version greater than 1.0.1.

Name of the Vulnerable Software and Affected Versions: Hossein Material Dashboard versions n/a through 1.4.6 Description: A weakness exists in the password recovery mechanism for forgotten passwords in Hossein Material Dashboard. This issue could allow unauthorized access to accounts. Recommendations: Update Hossein Material Dashboard to a version beyond 1.4.6.

**Name of the Vulnerable Software and Affected Versions** Bonus for Woo versions n/a through 7.4.1 **Description** An improper validation of the specified quantity in input exists in Bonus for Woo, potentially allowing access to functionality not properly constrained by Access Control Lists (ACLs). **Recommendations** Update Bonus for Woo to a version later than 7.4.1.

**Name of the Vulnerable Software and Affected Versions** SoftMe versions through 1.1.24 **Description** A missing authorization flaw exists in DesertThemes SoftMe, allowing exploitation due to incorrectly configured access control security levels. **Recommendations** Update SoftMe to a version beyond 1.1.24.

**Name of the Vulnerable Software and Affected Versions** webriti Shk Corporate versions through 2.4.1.1 **Description** The software contains a missing authorization flaw due to incorrectly configured access control security levels. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** aitool Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One versions n/a through 2.2.6 **Description** A Server-Side Request Forgery (SSRF) vulnerability exists in aitool Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One. This issue allows Server Side Request Forgery. **Recommendations** Update aitool Ai Auto Tool Content Writing Assistant (Gemini Writer, ChatGPT ) All in One to a version later than 2.2.6.

**Name of the Vulnerable Software and Affected Versions** INVELITY Invelity MyGLS connect versions through 1.1.1 **Description** This issue is a Cross-Site Request Forgery (CSRF) vulnerability that allows Object Injection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** emarket-design Employee Directory – Staff Listing & Team Directory Plugin for WordPress versions through 4.5.3 **Description** The Employee Directory – Staff Listing & Team Directory Plugin for WordPress is susceptible to object injection due to deserialization of untrusted data. This issue allows for potential code execution. **Recommendations** Update Employee Directory – Staff Listing & Team Directory Plugin for WordPress to a version later than 4.5.3.

**Name of the Vulnerable Software and Affected Versions** WP Ticket Customer Service Software & Support Ticket System versions through 6.0.2 **Description** Deserialization of untrusted data in the software allows for object injection. **Recommendations** Update WP Ticket Customer Service Software & Support Ticket System to a version later than 6.0.2.

**Name of the Vulnerable Software and Affected Versions** YouTube Showcase versions through 3.5.1 **Description** An improper control of generation of code ('Code Injection') vulnerability exists in emarket-design YouTube Showcase, allowing Object Injection. **Recommendations** Update YouTube Showcase to a version later than 3.5.1.

**Name of the Vulnerable Software and Affected Versions** emarket-design Employee Spotlight versions n/a through 5.1.1 **Description** The software contains a deserialization of untrusted data issue, which allows for object injection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WP Easy Contact versions through 4.0.1 **Description** Deserialization of untrusted data in WP Easy Contact allows for object injection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: ameliabooking Booking System Trafft versions through 1.0.14 Description: The Booking System Trafft software contains a Stored Cross-site Scripting (XSS) issue. This occurs due to improper neutralization of input during web page generation. Recommendations: Update ameliabooking Booking System Trafft to a version later than 1.0.14.

Name of the Vulnerable Software and Affected Versions: DELUCKS SEO versions through 2.6.0 Description: An incorrect privilege assignment issue exists in DELUCKS SEO, allowing for privilege escalation. Recommendations: Update DELUCKS SEO to a version later than 2.6.0.

Name of the Vulnerable Software and Affected Versions: miniOrange Prevent files / folders access versions n/a through 2.6.0 Description: A path traversal vulnerability exists in miniOrange Prevent files / folders access, allowing attackers to traverse file paths. This issue allows path traversal within the application. Recommendations: Update miniOrange Prevent files / folders access to a version later than 2.6.0.