Mikecole-Mg

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions 7.0-milestone-2 through 16.10.11 XWiki Platform versions 17.0.0-rc-1 through 17.4.4 XWiki Platform versions 17.5.0-rc-1 through 17.7.0 **Description** The XWiki Platform contains a reflected Cross-site Scripting (XSS) issue. This allows an attacker to create a malicious URL that, when visited by a victim, can execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, an attacker could gain full access to the XWiki installation. The issue resides in the platform's logging infrastructure, allowing attackers to inject malicious scripts via crafted extension identifiers. **Recommendations** XWiki Platform versions 7.0-milestone-2 through 16.10.11: Update to version 16.10.12 or later. XWiki Platform versions 17.0.0-rc-1 through 17.4.4: Update to version 17.4.5 or later. XWiki Platform versions 17.5.0-rc-1 through 17.7.0: Update to version 17.8.0-rc-1 or later. As a workaround, manually apply the patch by changing a single line in the `templates/logging macros.vm` file. No restart is required.

**Name of the Vulnerable Software and Affected Versions** OpenClinica Community Edition versions up to 3.12.2/3.13 **Description** A path traversal issue exists in OpenClinica Community Edition. The issue affects the CRF Data Import component, specifically within the `/ImportCRFData?action=confirm` file. Manipulation of the `xml file` argument can lead to path traversal. The attack can be initiated remotely. The exploit has been made public. **Recommendations** Versions prior to 3.12.2/3.13 should be used.

**Name of the Vulnerable Software and Affected Versions** OpenClinica Community Edition versions up to 3.12.2/3.13 **Description** A flaw exists in OpenClinica Community Edition that allows for XML injection. This issue is related to the processing of the `xml file` argument within the `/ImportCRFData?action=confirm` endpoint of the CRF Data Import component. Successful exploitation could occur remotely. The details of the exploit have been publicly disclosed. **Recommendations** Versions prior to 3.12.2/3.13 should be updated.

**Name of the Vulnerable Software and Affected Versions** OpenWGA version 7.11.12 Build 737 **Description** A security issue exists in OpenWGA that allows for cross site scripting. The issue impacts an unknown function within the Admin UI component and can be initiated remotely. The exploit for this issue has been publicly disclosed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OpenWGA version 7.11.12 Build 737 **Description** A flaw exists in OpenWGA that can lead to path traversal. The issue affects an unknown function within the `WGA.File` of the TMLScript API component. It is possible to launch the attack remotely. An exploit for this issue has been published. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Airsonic-Advanced versions prior to 10.6.1 **Description** A vulnerability exists in Airsonic-Advanced up to version 10.6.0 within the Playlist Upload Handler component. Manipulation of the component allows for unrestricted file uploads, and the attack can be initiated remotely. The exploit is publicly available. **Recommendations** Update Airsonic-Advanced to version 10.6.1 or later.

**Name of the Vulnerable Software and Affected Versions** Airbyte versions prior to 0.62.2 **Description** The Airbyte connection builder docker image is vulnerable to remote code execution (RCE) via server-side template injection (SSTI), allowing an authenticated remote attacker to execute arbitrary code on the server as the web server user. This vulnerability could expose sensitive information, such as credentials, if a user tests a new connector on a compromised instance. However, the connection builder does not have access to any data processes. **Recommendations** For versions prior to 0.62.2, update to version 0.62.2 to resolve the issue. As a temporary workaround, consider restricting access to the connection builder to minimize the risk of exploitation.