Myvx

Name of the Vulnerable Software and Affected Versions: Web Group Communication Center (WGCC) versions 1.0.3 PreRelease 1 and earlier Description: A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `userid` parameter in a "show" action. This could potentially lead to unauthorized actions on behalf of the user. Recommendations: For versions 1.0.3 PreRelease 1 and earlier, as a temporary workaround, consider restricting access to the `profile.php` file or disabling the `userid` parameter in the "show" action until a patch is available. Avoid using the `userid` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Web Group Communication Center (WGCC) versions 1.0.3 PreRelease 1 and earlier Description: The issue allows remote authenticated users to execute arbitrary SQL commands. This can be achieved via several parameters, including the `userid` parameter to "profile.php" in a "show moreinfo" action, the `bildid` parameter to "picturegallery.php" in a "shownext" action, the `id` parameter to "filebase.php" in a "freigeben" action, "schedule.php" in a "del" action, and "profile.php" in an "observe" action, the `pmid` parameter in a "delete" action, and the `folderid` parameter in a "showfolder" action to "message.php". Recommendations: For Web Group Communication Center (WGCC) versions 1.0.3 PreRelease 1 and earlier, consider disabling the affected parameters, such as `userid`, `bildid`, `id`, `pmid`, and `folderid`, in their respective actions until a patch is available. Restrict access to the affected scripts, including "profile.php", "picturegallery.php", "filebase.php", "schedule.php", and "message.php", to minimize the risk of exploitation.