Mauricio Corrêa

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion version 7.02.07 **Description** A reflected cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `status` parameter in the CMS admin panel. **Recommendations** For PHP-Fusion version 7.02.07, consider disabling access to the CMS admin panel until a fix is available, and avoid using the `status` parameter in the affected panel to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** America's Army Proving Grounds (affected versions not specified) **Description** An issue was discovered in the America's Army Proving Grounds platform for the Unreal Engine, where sending a false packet via UDP can cause the application server to respond with several bytes. This gives the possibility of DoS amplification and can even be used in DDoS attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** D-Link DSL-2730B router (rev C1) with firmware GE 1.01 **Description** The issue allows remote authenticated users to inject arbitrary web script or HTML via several parameters, including the `domainname` parameter to "dnsProxy.cmd" (DNS Proxy Configuration Panel), the `brName` parameter to "lancfg2get.cgi" (Lan Configuration Panel), the `wlAuthMode`, `wl wsc reg`, or `wl wsc mode` parameters to "wlsecrefresh.wl" (Wireless Security Panel), or the `wlWpaPsk` parameter to "wlsecurity.wl" (Wireless Password Viewer). **Recommendations** For D-Link DSL-2730B router (rev C1) with firmware GE 1.01, consider restricting access to the DNS Proxy Configuration Panel, Lan Configuration Panel, Wireless Security Panel, and Wireless Password Viewer until a patch is available. As a temporary workaround, avoid using the `domainname`, `brName`, `wlAuthMode`, `wl wsc reg`, `wl wsc mode`, and `wlWpaPsk` parameters in their respective panels to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion version 7.02.07 **Description** The issue allows remote authenticated users to execute arbitrary SQL commands. This can be achieved via the `submit id` parameter in a 2 action to "files/administration/submissions.php" or the `status` parameter to "files/administration/members.php". **Recommendations** For PHP-Fusion version 7.02.07, consider restricting access to the "files/administration/submissions.php" and "files/administration/members.php" files until a patch is available. As a temporary workaround, avoid using the `submit id` and `status` parameters in the affected API endpoints. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Progress Software OpenEdge version 11.2 **Description** A directory traversal issue exists, allowing remote attackers to read arbitrary files. This is achieved by using a .. (dot dot) in the `selection` parameter of the report/reportViewAction.jsp endpoint. **Recommendations** For Progress Software OpenEdge version 11.2, consider restricting access to the report/reportViewAction.jsp endpoint until a fix is available. As a temporary workaround, avoid using the `selection` parameter in the report/reportViewAction.jsp endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Dell EqualLogic PS4000 version 6.0 **Description** A directory traversal issue allows remote attackers to read arbitrary files by using a .. (dot dot) in the default URI. **Recommendations** For version 6.0, update the firmware to a version that addresses this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.