Pedro José Navas Pérez

**Name of the Vulnerable Software and Affected Versions** Sage 200 Spain versions prior to 2025.35.000 **Description** The issue allows an authenticated attacker with administrator privileges to obtain NTLMv2-SSP Hash by changing any of the paths to a UNC path pointing to a server controlled by the attacker. **Recommendations** For versions prior to 2025.35.000, update to version 2025.35.000 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Sage 200 Spain versions prior to 2025.35.000 **Description** The issue allows an authenticated attacker with administrator privileges to discover stored SMTP credentials. **Recommendations** For versions prior to 2025.35.000, update to version 2025.35.000 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** The Staff / Employee Business Directory for Active Directory WordPress plugin versions prior to 1.2.3 **Description** The issue arises from the plugin's failure to sanitize and escape data returned from the LDAP server before rendering it in the page. This allows users who can control their entries in the LDAP directory to inject malicious javascript, which could be used against high-privilege users such as a site admin. **Recommendations** For versions prior to 1.2.3, update to version 1.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the LDAP directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** EspoCRM version 7.2.5 **Description** An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server via the update form, which could lead to arbitrary PHP code execution. **Recommendations** For EspoCRM version 7.2.5, update to a version that contains a fix for this issue to prevent arbitrary PHP code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the update form to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** EspoCRM version 7.2.5 **Description** An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server via the extension deployment form, which could lead to arbitrary PHP code execution. **Recommendations** For EspoCRM version 7.2.5, update to a newer version that contains a fix for this issue to prevent arbitrary PHP code execution. As a temporary workaround, consider restricting access to the extension deployment form to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Active Directory Integration / LDAP Integration WordPress plugin versions prior to 4.1.10 **Description** The issue concerns the storage of sensitive LDAP logs in a buffer file when an administrator exports them. Unfortunately, this log file is never removed and remains accessible to any users who know the URL to access it. **Recommendations** For versions prior to 4.1.10, update to version 4.1.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the buffer file or removing it manually until a patch is applied. Avoid sharing the URL of the log file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Active Directory Integration / LDAP Integration plugin for WordPress versions up to, and including, 4.1.10 **Description** The issue is due to insufficient validation when changing the LDAP server, making it possible for authenticated attackers with administrative access and above to change the LDAP server and retrieve the credentials for the original LDAP server. **Recommendations** For versions up to, and including, 4.1.10, update to a version higher than 4.1.10 to resolve the issue. As a temporary workaround, consider restricting access to the LDAP server configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** The Staff / Employee Business Directory for Active Directory plugin for WordPress versions up to, and including, 1.2.3 The Active Directory Integration / LDAP Integration plugin for WordPress versions up to, and including, 4.1.10 **Description** The issue is due to insufficient validation when changing the LDAP server, making it possible for authenticated attackers with administrative access and above to change the LDAP server and retrieve the credentials for the original LDAP server. **Recommendations** For The Staff / Employee Business Directory for Active Directory plugin for WordPress versions up to, and including, 1.2.3, update to a version higher than 1.2.3 to resolve the issue. For The Active Directory Integration / LDAP Integration plugin for WordPress versions up to, and including, 4.1.10, update to a version higher than 4.1.10 to resolve the issue. As a temporary workaround, consider restricting access to the LDAP server configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Password Recovery plugin for Roundcube version 1.2 **Description** The issue concerns the password recovery mechanism, which could allow a remote attacker to change an existing user's password by adding a 6-digit numeric token. Since the platform has no limit on the number of requests, an attacker could create an automatic script to test all possible values. **Recommendations** For Password Recovery plugin for Roundcube version 1.2, consider disabling the password recovery feature until a patch is available to prevent exploitation. Restrict access to the password recovery mechanism to minimize the risk of unauthorized password changes. Avoid using the password recovery feature with the 6-digit numeric token until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Roundcube Password Recovery plugin version 1.2 **Description** The issue allows a remote attacker to create a test script against the password recovery function to enumerate all users in the database. This is a user enumeration vulnerability in the Password Recovery plugin for Roundcube. **Recommendations** For Roundcube Password Recovery plugin version 1.2, consider disabling the password recovery function until a patch is available to prevent user enumeration. Restrict access to the password recovery module to minimize the risk of exploitation. Avoid using the password recovery feature in the affected plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** This issue could allow an attacker to store a malicious JavaScript payload in the `login footer` and `login page description` parameters within the administration panel. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned in the provided descriptions. **Description** This issue could allow an attacker to store a malicious JavaScript payload in the `broadcast message` parameter within the admin panel. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.