Mateusz Goik

**Name of the Vulnerable Software and Affected Versions** Cisco SD-WAN vManage Software (affected versions not specified) **Description** A vulnerability in the web-based management interface of the Cisco SD-WAN vManage Software could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user. The vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco SD-WAN Software (affected versions not specified) **Description** A vulnerability in Cisco SD-WAN Software could allow an authenticated, local attacker to elevate privileges to root on the underlying operating system. The issue is due to insufficient input validation. An attacker could exploit this by sending a crafted request to a utility running on an affected system, potentially gaining root privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cisco SD-WAN Software (affected versions not specified) **Description** A vulnerability in Cisco SD-WAN Software could allow an authenticated, local attacker to elevate privileges to root on the underlying operating system. The issue is due to insufficient security controls on the Command Line Interface (CLI). An attacker could exploit this by using an affected CLI utility on an affected system, potentially gaining root privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: This is a different vulnerability than CVE-2013-0194 and CVE-2013-0195.

Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: This is a different vulnerability than CVE-2013-0193 and CVE-2013-0194.

Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: This is a different vulnerability than CVE-2013-0193 and CVE-2013-0195.

**Name of the Vulnerable Software and Affected Versions** phpPgAdmin versions prior to 5.0.4 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The injection can occur via the `name` or `type` of a function. **Recommendations** For versions prior to 5.0.4, update to version 5.0.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ownCloud Server versions 5.0.x through 5.0.5 **Description** The issue allows remote authenticated users to execute arbitrary SQL commands. **Recommendations** For ownCloud Server versions 5.0.x through 5.0.5, update to version 5.0.6 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Bugzilla versions 4.1.x through 4.2.6 Bugzilla versions 4.3.x Bugzilla versions 4.4.x prior to 4.4.1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via a field value that is not properly handled during construction of a tabular report. This can be achieved through the `summary` or `real name` field. **Recommendations** For Bugzilla versions 4.1.x through 4.2.6, update to version 4.2.7 or later. For Bugzilla versions 4.3.x, update to version 4.4.1 or later. For Bugzilla versions 4.4.x prior to 4.4.1, update to version 4.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** Bugzilla versions 4.4.x through 4.4.0 **Description** A cross-site request forgery issue exists, allowing remote attackers to hijack user authentication for modifying bugs. This is achieved through vectors involving a midair-collision token. **Recommendations** For Bugzilla versions 4.4.x through 4.4.0, update to version 4.4.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** SyntaxHighlight GeSHi extension for MediaWiki versions prior to September 2013 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML. **Recommendations** For versions prior to September 2013, update the SyntaxHighlight GeSHi extension to a version released after September 2013.

**Name of the Vulnerable Software and Affected Versions** Bugzilla versions 4.1.x through 4.2.3 Bugzilla versions 4.3.x through 4.4rc1 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via a field value that is not properly handled during construction of a tabular report, such as the `Version` field. **Recommendations** For Bugzilla versions 4.1.x through 4.2.3, update to version 4.2.4 or later. For Bugzilla versions 4.3.x through 4.4rc1, update to version 4.4rc1 or later.

**Name of the Vulnerable Software and Affected Versions** Gallery 3 versions prior to 3.0.4 **Description** The issue allows attackers to execute arbitrary PHP code via unknown vectors. **Recommendations** For versions prior to 3.0.4, update to version 3.0.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Gallery 3 versions prior to 3.0.4 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, which can lead to cross-site scripting (XSS) attacks. **Recommendations** For Gallery 3 versions prior to 3.0.4, update to version 3.0.4 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 3.4.x through 3.4.10.1 **Description** The issue allows remote attackers to obtain sensitive information via a direct request to `show config errors.php`, which reveals the installation path in an error message when a configuration file does not exist. **Recommendations** For phpMyAdmin versions 3.4.x through 3.4.10.1, update to version 3.4.10.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mathopd versions 1.4.x through 1.5.x before 1.5p7 **Description** A directory traversal issue exists when Mathopd is configured with the * construct for mass virtual hosting, allowing remote attackers to read arbitrary files by sending a crafted Host header. **Recommendations** For versions 1.4.x through 1.5.x before 1.5p7, update to version 1.5p7 or later to resolve the issue.