P4Nk4Jv

**Name of the Vulnerable Software and Affected Versions** Canto plugin version 1.3.0 for WordPress **Description** The issue allows an unauthenticated attacker to make a request to any internal and external server via the /includes/lib/detail.php endpoint with the `subdomain` variable set to SSRF. This enables the attacker to exploit the blind Server-Side Request Forgery (SSRF) vulnerability. **Recommendations** For Canto plugin version 1.3.0, consider disabling the /includes/lib/detail.php endpoint or restricting access to it until a patch is available. Avoid using the `subdomain` variable in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Canto plugin version 1.3.0 for WordPress **Description** The issue allows an unauthenticated attacker to make a request to any internal and external server via the /includes/lib/get.php endpoint with the `subdomain` variable set to SSRF. This enables blind Server-Side Request Forgery (SSRF) attacks. **Recommendations** For Canto plugin version 1.3.0, consider disabling the /includes/lib/get.php endpoint or restricting access to it until a patch is available. Avoid using the `subdomain` variable in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Canto plugin version 1.3.0 for WordPress **Description** The issue allows an unauthenticated attacker to make a request to any internal and external server via the /includes/lib/tree.php endpoint with the `subdomain` variable set to SSRF. This enables blind Server-Side Request Forgery (SSRF) attacks. **Recommendations** For Canto plugin version 1.3.0, consider disabling the /includes/lib/tree.php endpoint or restricting access to it until a patch is available. Avoid using the `subdomain` variable in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NeDi version 1.9C **Description** The issue allows an attacker to execute arbitrary JavaScript code via the "Monitoring-Incidents.php" API endpoint, specifically through the `id` parameter. This enables a cross-site scripting (XSS) attack. **Recommendations** For NeDi version 1.9C, consider restricting access to the "Monitoring-Incidents.php" API endpoint until a patch is available. As a temporary workaround, avoid using the `id` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NeDi version 1.9C **Description** The issue allows an attacker to execute arbitrary JavaScript code via the "Assets-Management.php" `sn` parameter, enabling a cross-site scripting (XSS) attack. **Recommendations** For NeDi version 1.9C, as a temporary workaround, consider restricting access to the "Assets-Management.php" endpoint until a patch is available. Avoid using the `sn` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NeDi version 1.9C **Description** The issue allows an attacker to execute arbitrary JavaScript code via the "snmpget.php" API endpoint, specifically through the `ip` parameter. This enables a cross-site scripting (XSS) attack. **Recommendations** For NeDi version 1.9C, as a temporary workaround, consider restricting access to the "snmpget.php" API endpoint until a patch is available. Avoid using the `ip` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NeDi version 1.9C **Description** The issue allows an attacker to execute arbitrary JavaScript code via the "Topology-Routes.php" `rtr` parameter, enabling a cross-site scripting (XSS) attack. **Recommendations** For NeDi version 1.9C, consider disabling access to the "Topology-Routes.php" endpoint until a patch is available. As a temporary workaround, restrict the use of the `rtr` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NeDi version 1.9C **Description** The issue allows an attacker to execute arbitrary JavaScript code via the "Assets-Management.php" `chg` parameter, enabling a cross-site scripting (XSS) attack. **Recommendations** For NeDi version 1.9C, as a temporary workaround, consider restricting access to the "Assets-Management.php" endpoint until a patch is available. Avoid using the `chg` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.