Mirabbas Ağalarov

**Name of the Vulnerable Software and Affected Versions** ProjectSend version r1605 **Description** ProjectSend r1605 contains a remote code execution issue that allows attackers to upload malicious files by manipulating file extensions. Attackers can upload shell scripts with disguised extensions through the `upload.process.php` endpoint to execute arbitrary commands on the server. The issue bypasses file extension checks, enabling attackers to upload and execute malicious scripts, potentially leading to complete server compromise. **Recommendations** For ProjectSend version r1605, restrict access to the `upload.process.php` endpoint to prevent unauthorized file uploads. As a temporary workaround, consider disabling file upload functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WebsiteBaker version 2.13.3 **Description** An authenticated user can inject malicious scripts when creating web pages, leading to the execution of arbitrary JavaScript when a page is viewed by other users. The issue is due to a stored cross-site scripting condition that occurs when crafting malicious payloads in page titles. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize all page titles to prevent the injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** Dotclear version 2.25.3 **Description** Dotclear version 2.25.3 contains a remote code execution issue. Authenticated attackers can upload malicious PHP files with a `.phar` extension through the blog post creation interface. Uploading files containing PHP system commands allows execution of arbitrary code on the server when the uploaded file is accessed. The issue involves the ability to upload files via the blog post creation interface. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TinyWebGallery version 2.5 **Description** TinyWebGallery version 2.5 has a stored cross-site scripting issue. Authenticated attackers can inject malicious scripts through the folder name parameter. Attackers can modify album folder names with script tags, leading to the execution of arbitrary JavaScript when other users view the affected gallery pages. The vulnerable parameter is `folder name`. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** UliCMS version 2023.1 **Description** The software contains a stored cross-site scripting issue that enables attackers to upload malicious SVG files containing JavaScript. Attackers can upload these crafted SVG files through the file management interface. When other users view these files, arbitrary scripts are executed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ version 3.1.12 **Description** The software contains a CSV injection flaw that permits authenticated users to inject malicious formulas into their profile names. An attacker can modify their user profile name with a payload such as 'calc|a!z|' to trigger code execution when an administrator exports user data as a CSV file. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict the characters allowed in user profile names to prevent the injection of malicious formulas.

**Name of the Vulnerable Software and Affected Versions** ProjectSend version r1605 **Description** An insecure direct object reference issue exists in ProjectSend r1605. An unauthenticated attacker can download private files by manipulating the `id` parameter in a download request to the 'process.php' endpoint. This allows access to any user's private files. **Recommendations** Apply appropriate access controls to the 'process.php' endpoint to prevent unauthorized file downloads. Sanitize or validate the `id` parameter to ensure it corresponds to a legitimate file accessible to the requesting user.

**Name of the Vulnerable Software and Affected Versions** Zenphoto version 1.6 **Description** The software contains a stored cross-site scripting issue in the user postal code field. This field is accessible through the 'admin-users.php' interface. When administrators view user information that includes HTML, malicious JavaScript payloads injected into the postal code field can execute in their browser. The vulnerable field is used when importing user information. **Recommendations** Sanitize user input for the postal code field in the 'admin-users.php' interface to prevent the injection of malicious HTML or JavaScript code.

**Name of the Vulnerable Software and Affected Versions** UliCMS version 2023.1 **Description** An unauthenticated attacker can create administrative accounts through the `UserController` endpoint. By sending a crafted POST request to the `/dist/admin/index.php` endpoint with specific parameters, an attacker can generate a new admin user with full system access. The vulnerable parameter is not specified. **Recommendations** Apply updates to address the issue. As a temporary workaround, restrict access to the `/dist/admin/index.php` endpoint to authorized users only.

**Name of the Vulnerable Software and Affected Versions** PodcastGenerator version 3.2.9 **Description** PodcastGenerator version 3.2.9 has a stored cross-site scripting issue. A malicious JavaScript payload can be injected into the episode title field through the episodes upload interface, specifically via the `episodes upload.php` page. When administrators view the episodes list page (`episodes list.php`), the injected JavaScript executes. The vulnerable field is the episode title. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, sanitize all user-supplied input for the episode title field to prevent the injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** PodcastGenerator version 3.2.9 **Description** PodcastGenerator version 3.2.9 has a stored cross-site scripting issue in the podcast title field. This flaw is accessible through the podcast details interface, specifically the `podcast details.php` file. Successful exploitation involves injecting malicious JavaScript payloads into the podcast title, which then execute when users visit the application’s home page. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TinyWebGallery version 2.5 **Description** TinyWebGallery version 2.5 contains a remote code execution issue in the admin upload functionality. An unauthenticated attacker can upload malicious PHP files, specifically .phar files, to execute arbitrary code on the server. This is achieved by accessing the URL of the uploaded file. The vulnerability bypasses security controls, presenting no barriers to exploitation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SitemagicCMS version 4.4.3 **Description** The software contains a remote code execution issue that allows attackers to upload malicious PHP files to the 'files/images' directory. An attacker can upload a .phar file containing a system command execution payload to compromise the web application and execute arbitrary system commands. The API endpoint used for file upload is not specified. The vulnerable parameter is not specified. The function responsible for handling file uploads is not specified. **Recommendations** Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict file upload permissions to the 'files/images' directory.

**Name of the Vulnerable Software and Affected Versions** PHPFusion version 9.10.30 **Description** The software contains a stored cross-site scripting issue in the file manager. Attackers can upload malicious SVG files containing embedded JavaScript. These files, when viewed, can execute arbitrary JavaScript, potentially leading to the theft of user session information or other client-side attacks. The vulnerability is triggered by uploading SVG files with script tags. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** projectSend version r1605 **Description** The software contains a stored cross-site scripting issue. Authenticated administrators can inject malicious JavaScript through the custom assets configuration page. An attacker can create a JavaScript payload within the custom assets section, which will execute when other users access the affected page, resulting in persistent script injection. **Recommendations** Administrators should sanitize or encode any user-supplied content within the custom assets configuration page to prevent the injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** UliCMS version 2023.1 **Description** An authentication bypass allows unauthenticated attackers to create administrative users. This is possible through mass assignment in the `UserController` by sending a crafted POST request to the ''index.php'' endpoint. Successful exploitation grants attackers full system access. The vulnerable parameter is not explicitly mentioned. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ProjectSend version r1605 **Description** ProjectSend version r1605 contains a CSV injection flaw. Authenticated users can inject malicious formulas into user profile names. An attacker can use a payload like `=calc|a!z|` within the name field. When administrators export action logs as CSV files, this can lead to code execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WBCE CMS version 1.6.1 **Description** WBCE CMS version 1.6.1 has a stored cross-site scripting issue. Authenticated attackers can inject malicious JavaScript by uploading specially crafted SVG files. This is achieved through the media manager by exploiting the `/wbce/modules/elfinder/ef/php/connector.wbce.php` endpoint. Attackers upload SVG files containing script tags, and the JavaScript executes when victims access the uploaded file. The vulnerable parameter is the SVG file itself. **Recommendations** Update to a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WBCE CMS version 1.6.1 **Description** WBCE CMS version 1.6.1 has a stored cross-site scripting issue. Authenticated attackers can inject malicious JavaScript by inserting script tags into page content using the WYSIWYG editor. Attackers can submit POST requests to the ''/wbce/modules/wysiwyg/save.php'' endpoint with malicious script content in the `content` parameter. This allows execution of JavaScript when users view the affected page. **Recommendations** Update to a newer version of WBCE CMS that addresses this issue. As a temporary workaround, sanitize all user-supplied input before saving it to the database. Restrict access to the ''/wbce/modules/wysiwyg/save.php'' endpoint to trusted users only.

**Name of the Vulnerable Software and Affected Versions** Rukovoditel version 3.3.1 **Description** The software contains a CSV injection issue that allows authenticated users to inject malicious formulas into the `firstname` field. An attacker can create payloads, such as `=calc|a!z|`, to execute code when an administrator exports customer data as a CSV file. **Recommendations** Apply a fix or update to a newer version that addresses this vulnerability. As a temporary workaround, sanitize the `firstname` field to remove or escape potentially malicious characters before exporting data as a CSV file.