Mounir Aarab

**Name of the Vulnerable Software and Affected Versions** Centreon Web versions 22.10.x through 22.10.25 Centreon Web versions 23.04.x through 23.04.22 Centreon Web versions 23.10.x through 23.10.17 Centreon Web versions 24.04.x through 24.04.7 Centreon Web versions 24.10.x through 24.09 **Description** A stored XSS issue was found in the user configuration contact name field. This form is only accessible to authenticated users with high-privilege access. **Recommendations** For Centreon Web versions 22.10.x through 22.10.25, update to version 22.10.26 or later. For Centreon Web versions 23.04.x through 23.04.22, update to version 23.04.23 or later. For Centreon Web versions 23.10.x through 23.10.17, update to version 23.10.18 or later. For Centreon Web versions 24.04.x through 24.04.7, update to version 24.04.8 or later. For Centreon Web versions 24.10.x through 24.09, update to version 24.10.0 or later.

Name of the Vulnerable Software and Affected Versions: LAquis SCADA version 4.7.1.511 Description: A cross-site scripting vulnerability in LAquis SCADA could allow an attacker to inject arbitrary code into a web page, potentially enabling them to steal cookies, redirect users, or perform unauthorized actions. This issue is related to the lack of protection measures for the web page structure, which could allow a remote attacker to conduct cross-site scripting attacks. Recommendations: For LAquis SCADA version 4.7.1.511, consider disabling web page functionality or restricting access to the web interface until a patch is available to prevent exploitation of the cross-site scripting vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Titan SFTP and Titan MFT Server versions 2.0.25.2426 and earlier **Description** The issue concerns the exposure of sensitive information, including passwords, in clear text within the JSON response when configuring SMTP settings via the Web UI. This sensitive information exposure occurs in Titan SFTP and Titan MFT Server. **Recommendations** For versions 2.0.25.2426 and earlier, consider restricting access to the Web UI until a fix is available, and avoid configuring SMTP settings via the Web UI to minimize the risk of sensitive information exposure.

Name of the Vulnerable Software and Affected Versions: CodeAstro MembershipM-PHP (aka Membership Management System in PHP) version 1.0 Description: The issue allows for stored XSS in the `fullname` parameter of the "add members.php" page. This can lead to malicious script execution when the stored data is viewed. Recommendations: For CodeAstro MembershipM-PHP (aka Membership Management System in PHP) version 1.0, consider validating and sanitizing user input for the `fullname` parameter in the "add members.php" page to prevent XSS attacks. As a temporary workaround, restrict access to the "add members.php" page until a proper fix is applied.