Mesh3L_911

**Name of the Vulnerable Software and Affected Versions** Profile Builder WordPress plugin versions prior to 3.9.8 **Description** The issue concerns a lack of authorization and CSRF protection in the page creation function of the plugin. This allows unauthenticated users to create specific pages, including register, log-in, and edit-profile pages, on the blog. **Recommendations** For versions prior to 3.9.8, update to version 3.9.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the page creation function until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Webmin version 1.973 **Description** A Cross-Site Scripting (XSS) issue exists via the Scheduled Cron Jobs feature. **Recommendations** For Webmin version 1.973, consider disabling the Scheduled Cron Jobs feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Webmin version 1.973 **Description** A Cross-Site Scripting (XSS) issue exists via the Upload and Download feature. **Recommendations** For Webmin version 1.973, consider disabling the Upload and Download feature until a patch is available. Restrict access to this feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Webmin version 1.973 **Description** A Cross-site request forgery (CSRF) vulnerability exists in the Upload and Download feature. This issue allows an attacker to trick a user into performing unintended actions on the web application. **Recommendations** For Webmin version 1.973, as a temporary workaround, consider disabling the Upload and Download feature until a patch is available. Restrict access to this feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Webmin version 1.973 **Description** A Cross-Site Scripting (XSS) issue exists in the Add Users feature. **Recommendations** For Webmin version 1.973, consider disabling the Add Users feature until a patch is available. Restrict access to this feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Webmin version 1.973 **Description** A Cross-Site Scripting (XSS) issue exists in the File Manager feature. **Recommendations** For Webmin version 1.973, consider disabling the File Manager feature until a patch is available. Restrict access to the File Manager to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Webmin version 1.973 **Description** A Cross-site request forgery (CSRF) vulnerability exists in the File Manager feature. This issue allows for malicious requests to be made on behalf of the user, potentially leading to unauthorized actions. **Recommendations** For Webmin version 1.973, as a temporary workaround, consider disabling the File Manager feature until a patch is available. Restrict access to the File Manager to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Webmin version 1.973 **Description** A cross-site request forgery (CSRF) vulnerability exists in the Scheduled Cron Jobs feature. This issue allows for malicious requests to be made on behalf of a user without their knowledge or consent. **Recommendations** For Webmin version 1.973, consider disabling the Scheduled Cron Jobs feature until a patch is available to prevent potential exploitation of the CSRF vulnerability.

Name of the Vulnerable Software and Affected Versions: GoCD server version 21.3.0 Description: The issue concerns a functionality in the GoCD server that could be exploited to achieve a Server Side Request Forgery (SSRF). This is possible when adding a new pipeline. The vendor's position is that the observed behavior is not a vulnerability, as the product's design allows an admin to configure outbound requests. Recommendations: For GoCD server version 21.3.0, consider restricting the configuration of outbound requests to minimize the risk of exploitation. As a temporary workaround, review and limit the use of the pipeline functionality until further guidance is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Webmin version 1.973 **Description** The issue is related to reflected Cross Site Scripting (XSS) that can lead to Remote Command Execution. This is achieved through Webmin's running process feature. **Recommendations** For Webmin version 1.973, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Webmin version 1.973 **Description** The issue allows for Cross Site Request Forgery (CSRF) to create a privileged user through Webmin's add users feature, and then get a reverse shell through Webmin's running process feature. **Recommendations** For Webmin version 1.973, as a temporary workaround, consider disabling the add users feature and restricting access to the running process feature until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Webmin version 1.973 **Description** The issue allows for Cross Site Request Forgery (CSRF) to achieve Remote Command Execution (RCE) through Webmin's running process feature. This means an attacker could potentially execute commands on a remote system without proper authorization. **Recommendations** For Webmin version 1.973, consider disabling the running process feature as a temporary workaround until a patch is available. Restrict access to Webmin's running process feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Discourse versions 2.7.0 through beta1 **Description** A rate-limit bypass issue leads to a bypass of the 2FA requirement for certain forms. **Recommendations** For versions 2.7.0 through beta1, update to a version that includes a fix for the rate-limit bypass issue to prevent 2FA bypass for certain forms. At the moment, there is no information about a newer version that contains a fix for this vulnerability.