Matthew Aberegg

**Name of the Vulnerable Software and Affected Versions** LimeSurvey versions 4.3.10 and earlier **Description** LimeSurvey is affected by a stored cross-site scripting issue in the Survey Menu functionality within the administration panel. An attacker can inject malicious SVG scripts through the `Surveymenu[title]` and `Surveymenu[parent id]` parameters. Successful exploitation allows the execution of arbitrary JavaScript in administrative contexts. **Recommendations** Versions prior to 4.3.10 are vulnerable. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions prior to CCM 3.0.7 Nagios XI versions prior to 5.7.4 **Description** The Core Config Manager (CCM) in Nagios XI has multiple SQL injection flaws present in the object edit pages. The application incorporates unsanitized user-supplied input into SQL queries used by configuration object editors. Successful exploitation could lead to unauthorized disclosure or modification of configuration and application data, and potentially further compromise of the application or backend database. The issue affects authenticated users. **Recommendations** Update to CCM version 3.0.7 or later. Update to Nagios XI version 5.7.4 or later.

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions prior to CCM 3.0.7 Nagios XI versions prior to 5.7.4 **Description** The Core Config Manager (CCM) in Nagios XI is susceptible to multiple cross-site scripting (XSS) issues present in the object edit pages. Insufficient validation or escaping of user-supplied input could allow an attacker to inject and execute arbitrary script within a victim’s browser. **Recommendations** Update to CCM version 3.0.7 or later. Update to Nagios XI version 5.7.4 or later.

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions prior to 5.7.5 **Description** Nagios XI versions prior to 5.7.5 have a SQL injection issue in the SNMP Trap Interface edit page. An account with administrative privileges is required to access the affected interface. A user with administrative access can provide crafted input that is not properly sanitized, potentially leading to unauthorized disclosure or modification of application data, or execution of arbitrary SQL commands against the backend database. **Recommendations** Update to version 5.7.5 or later.

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions prior to CCM 3.1.0 Nagios XI versions prior to 5.8.0 **Description** The Core Config Manager (CCM) in Nagios XI contains a cross-site scripting (XSS) issue in the Templates pages. The problem is related to the UI logic that renders and handles the Active/Actions buttons. Insufficient validation or escaping of user-supplied input may allow an attacker to inject and execute arbitrary script in the context of a victim's browser. **Recommendations** Update to CCM version 3.1.0 or later. Update to Nagios XI version 5.8.0 or later.

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions prior to 5.8.0 **Description** The software is susceptible to stored cross-site scripting (XSS) through the My Tools page. Insufficient validation or escaping of user-supplied input could allow an attacker to inject and execute arbitrary script within a victim’s browser. **Recommendations** Update to version 5.8.0 or later.

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions prior to 5.8.0 **Description** Nagios XI versions prior to 5.8.0 are susceptible to cross-site scripting (XSS) through the handling of BPI config IDs. A lack of proper input validation or escaping of user-provided data could allow an attacker to inject and execute arbitrary script within a victim’s browser. **Recommendations** Update to version 5.8.0 or later.

**Name of the Vulnerable Software and Affected Versions** Nagios XI versions prior to 5.8.0 **Description** Nagios XI versions prior to 5.8.0 are susceptible to cross-site scripting (XSS) through the Views feature's URL handling. Insufficient validation or escaping of user-supplied input could allow an attacker to inject and execute arbitrary script within a victim’s browser. **Recommendations** Update to version 5.8.0 or later.

**Name of the Vulnerable Software and Affected Versions** LimeSurvey version 4.1.11+200316 **Description** The issue is related to a Cross Site Scripting vulnerability. It affects the `name` and `description` parameters in the `application/controllers/admin/PermissiontemplatesController.php` file. **Recommendations** For LimeSurvey version 4.1.11+200316, consider restricting access to the `name` and `description` parameters in the `PermissiontemplatesController.php` file until a patch is available. As a temporary workaround, avoid using the `name` and `description` parameters in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** osTicket versions prior to 1.12.6 **Description** The issue is related to a Cross Site Scripting vulnerability. It can be exploited via the `queue-name` parameter to the "/include/ajax.search.php" API endpoint. **Recommendations** For versions prior to 1.12.6, update to version 1.12.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/include/ajax.search.php` API endpoint or avoiding the use of the `queue-name` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** osTicket versions prior to 1.12.6 **Description** The issue is related to a Cross Site Scripting (XSS) vulnerability. It affects the `queue-name` parameter in the `include/class.queue.php` file. There is no information provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For versions prior to 1.12.6, update to version 1.12.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the `queue-name` parameter in the affected `include/class.queue.php` file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** LimeSurvey versions prior to 4.1.12+200324 **Description** The issue concerns stored XSS in certain files, specifically in application/views/admin/surveysgroups/surveySettings.php and application/models/SurveysGroups.php, which is related to survey groups. **Recommendations** For versions prior to 4.1.12+200324, update to version 4.1.12+200324 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** LimeSurvey versions prior to 4.1.12+200324 **Description** The issue is related to a path traversal vulnerability. It affects the file application/controllers/admin/LimeSurveyFileManager.php. **Recommendations** For versions prior to 4.1.12+200324, update to version 4.1.12+200324 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** pfSense versions prior to 2.4.5 **Description** The issue concerns stored XSS in the WebGUI, specifically in the system usermanager addprivs.php file, via the `descr` parameter, also known as the full name of a user. **Recommendations** For versions prior to 2.4.5, update to version 2.4.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the system usermanager addprivs.php file in the WebGUI to minimize the risk of exploitation. Avoid using the `descr` parameter in the affected WebGUI until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: rConfig versions prior to 3.9.5 Description: The issue is related to a lack of proper neutralization of special elements used in operating system commands. This can be exploited by a remote attacker using a specially crafted GET request, allowing them to execute arbitrary commands on the target system. The `nodeId` parameter in `lib/crud/search.crud.php` is passed directly to the `exec` function without being escaped, leading to command injection. Recommendations: For versions prior to 3.9.5, update to version 3.9.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the `lib/crud/search.crud.php` file to minimize the risk of exploitation. Avoid using the `nodeId` parameter in the affected API endpoint until the issue is resolved.