Nick Decker

Name of the Vulnerable Software and Affected Versions: Dolibarr ERP and CRM version 13.0.2 Description: The issue allows for stored cross-site scripting (XSS) in the object details of the user-management feature. This can be demonstrated by using > and < characters in the `onpointermove` attribute of a `BODY` element. Recommendations: For Dolibarr ERP and CRM version 13.0.2, consider disabling the user-management feature until a patch is available to prevent exploitation. Restrict access to object details to minimize the risk of XSS attacks. Avoid using the `onpointermove` attribute in the `BODY` element of the user-management feature until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Dolibarr version 13.0.2 Description: The website builder module in Dolibarr allows remote PHP code execution due to an incomplete protection mechanism. Specifically, while system, exec, and shell exec are blocked, backticks are not blocked, enabling this exploit. Recommendations: For Dolibarr version 13.0.2, consider disabling the website builder module until a patch is available to prevent remote PHP code execution. Restrict access to the module to minimize the risk of exploitation. Avoid using backticks in the affected module until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** VeryFitPro version 3.2.8 **Description** The VeryFitPro application communicates with the backend API over cleartext HTTP, which includes logins, registrations, and password change requests. This allows information theft and account takeover via network sniffing. **Recommendations** For version 3.2.8, consider disabling communication with the backend API until a secure connection method is implemented, such as HTTPS, to prevent information theft and account takeover. Restrict access to sensitive information, such as login credentials and password change requests, to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Rocket.Chat versions 3.7.1 through 3.9.1 Description: An email address enumeration issue exists in the password reset function. This allows for the potential identification of email addresses associated with user accounts. Recommendations: For Rocket.Chat versions 3.7.1 through 3.9.1, update to a version later than 3.9.1 to resolve the issue. As a temporary workaround, consider restricting access to the password reset function until a patch is available.