Omriinbar

**Name of the Vulnerable Software and Affected Versions** Streama versions up to and including 1.10.3 **Description** A cross-site request forgery (CSRF) vulnerability exists in the application. The application does not have CSRF checks in place when performing actions such as uploading local files. As a result, attackers could make a logged-in administrator upload arbitrary local files via a CSRF attack and send them to the attacker. **Recommendations** For versions up to and including 1.10.3, consider implementing CSRF checks for actions like uploading local files to prevent exploitation. As a temporary workaround, restrict access to file upload functionality until a patch is available. Avoid using the file upload feature in the affected application until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: MyLittleBackup versions up to and including 1.7 Description: The management tool in MyLittleBackup allows remote attackers to execute arbitrary code because the `machineKey` is hardcoded in `web.config`, and can be used to send serialized ASP code. This issue affects all customers' installations due to the use of the same hardcoded `machineKey`. Recommendations: For MyLittleBackup versions up to and including 1.7, consider changing the hardcoded `machineKey` in `web.config` to a unique value for each installation as a temporary workaround. However, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Beego version 2.0.1 Description: A Cross Site Scripting (XSS) issue exists in the admin panel via the URI path in an HTTP request. This is activated when administrators view the "Request Statistics" page. Recommendations: For Beego version 2.0.1, as a temporary workaround, consider restricting access to the admin panel or the "Request Statistics" page until a patch is available. Avoid using the vulnerable URI path in HTTP requests to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: FileBrowser versions prior to 2.16.0 Description: A stored cross-site scripting (XSS) issue exists that allows an authenticated user to upload a malicious .svg file, which acts as a stored XSS payload. If triggered by an administrator, this payload can execute malicious OS commands on the server running the FileBrowser instance. Recommendations: For versions prior to 2.16.0, update to version 2.16.0 or later to resolve the issue. As a temporary workaround, consider restricting the ability to upload .svg files or disabling the upload feature for authenticated users until a patch is applied. Restrict access to the FileBrowser instance to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** gowitness versions prior to 2.3.6 **Description** A vulnerability exists that allows an unauthenticated attacker to perform an arbitrary file read using the `file://` scheme in the `url` parameter to get an image of any file. **Recommendations** For versions prior to 2.3.6, update to version 2.3.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the `url` parameter to minimize the risk of exploitation. Avoid using the `url` parameter with the `file://` scheme until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Impacket versions 0.9.22 and earlier **Description** The issue is related to multiple path traversal vulnerabilities in the smbserver.py component of Impacket. An attacker connecting to a running smbserver instance can exploit these vulnerabilities to list and write to arbitrary files via ../ directory traversal. This could potentially lead to arbitrary code execution by replacing sensitive files such as /etc/shadow or an SSH authorized key. The vulnerability can be exploited by a remote attacker to access confidential data, compromise data integrity, and cause a denial of service. **Recommendations** For Impacket versions 0.9.22 and earlier, update to version 0.9.23 or later to resolve the issue. As a temporary workaround, consider restricting access to the smbserver instance to minimize the risk of exploitation. Avoid using the smbserver.py component until the issue is resolved.