Paul Bisso

**Name of the Vulnerable Software and Affected Versions** JQueryForm.com versions prior to 2022-02-05 **Description** A reflected cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `redirect` parameter to "admin.php". This enables attackers to execute malicious scripts on the client-side. **Recommendations** For versions prior to 2022-02-05, as a temporary workaround, consider restricting access to the "admin.php" endpoint until a fix is available. Avoid using the `redirect` parameter in the affected forms until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JQueryForm.com versions prior to 2022-02-05 **Description** The issue allows a remote authenticated attacker to access the cleartext credentials of all other form users. The admin.php file contains a hidden base64-encoded string with these credentials. **Recommendations** For versions prior to 2022-02-05, consider removing or securely storing the hidden base64-encoded string in admin.php to prevent unauthorized access to user credentials. As a temporary workaround, restrict access to admin.php until a fix is applied.

**Name of the Vulnerable Software and Affected Versions** JQueryForm.com versions prior to 2022-02-05 **Description** The issue allows remote attackers to obtain the URI to any uploaded file by capturing the POST response. This can be chained with another issue to potentially lead to unauthenticated remote code execution on the underlying web server. The problem occurs because the Unique ID field is contained in the POST response upon submitting a form. **Recommendations** For versions prior to 2022-02-05, consider restricting access to the form submission endpoint to minimize the risk of exploitation. As a temporary workaround, avoid using the Unique ID field in the POST response until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JQueryForm.com versions prior to 2022-02-05 **Description** The issue allows remote unauthenticated attackers to upload executable files and achieve remote code execution. This occurs because file-extension checks occur on the client side, and not all executable content is blocked, such as files with .phtml or .php.bak extensions. **Recommendations** For versions prior to 2022-02-05, consider disabling the file-upload capability until a fix is available. Restrict access to the file upload feature to minimize the risk of exploitation. Avoid relying solely on client-side file-extension checks; instead, implement server-side checks to block executable content.

**Name of the Vulnerable Software and Affected Versions** JQueryForm.com versions prior to 2022-02-05 **Description** The issue allows a remote authenticated attacker to bypass authentication and access the administrative section of other forms hosted on the same web server. This is particularly relevant when an organization hosts multiple forms on their server. **Recommendations** For versions prior to 2022-02-05, consider restricting access to the administrative section of forms until a fix is applied, and ensure that each form's authentication is properly configured to prevent unauthorized access.