Mohammad Reza Omrani

**Name of the Vulnerable Software and Affected Versions** Apache Answer versions through 1.3.5 **Description** The password reset link remains valid within its expiration period even after it has been used, potentially leading to misuse or hijacking. **Recommendations** For Apache Answer versions through 1.3.5, upgrade to version 1.3.6 to fix the issue.

**Name of the Vulnerable Software and Affected Versions** Apache Answer versions through 1.3.5 **Description** The issue affects Apache Answer, where a user can send multiple password reset emails, each containing a valid link. Within the link's validity period, this could potentially lead to the link being misused or hijacked. **Recommendations** For versions through 1.3.5, upgrade to version 1.3.6 to fix the issue.

**Name of the Vulnerable Software and Affected Versions** Apache Answer versions through 1.2.1 **Description** The issue affects Apache Answer, allowing a logged-in user to cause a Pixel Flood Attack by uploading large pixel files, which can cause the server to run out of memory. This can be done by uploading an image when posting content. **Recommendations** For Apache Answer versions through 1.2.1, upgrade to version 1.2.5, which fixes the issue. As a temporary workaround, consider restricting image uploads for logged-in users until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** Apache Answer versions through 1.2.1 **Description** The issue is related to a 'Race Condition' vulnerability due to improper synchronization during concurrent execution using shared resources. This can lead to the creation of multiple user accounts with the same name when users rapidly submit multiple registrations using scripts. **Recommendations** For Apache Answer versions through 1.2.1, upgrade to version 1.2.5, which fixes the issue. As a temporary workaround, consider restricting rapid submissions during registration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Smart Forms WordPress plugin versions prior to 2.6.87 **Description** The issue concerns a lack of authorization in various AJAX actions within the plugin, allowing users with a low role, such as a subscriber, to perform unauthorized actions like deleting entries. Additionally, the plugin lacks CSRF checks in some areas, making it possible for attackers to trick logged-in users into performing unwanted actions via CSRF attacks, including deleting entries. **Recommendations** For versions prior to 2.6.87, update to version 2.6.87 or later to resolve the issue. As a temporary workaround, consider restricting access to AJAX actions and implementing CSRF checks to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** kk Star Ratings WordPress plugin versions prior to 5.4.6 **Description** The issue allows a user to vote multiple times on a poll due to a Race Condition, as the plugin does not implement atomic operations. **Recommendations** For versions prior to 5.4.6, update to version 5.4.6 or later to resolve the issue.