Podalirius

**Name of the Vulnerable Software and Affected Versions** LimeSurvey versions 5.3.9 and below **Description** A cross-site scripting (XSS) issue in the uploadConfirm.php file allows attackers to execute arbitrary web scripts or HTML via a crafted plugin. This can be exploited by attackers to execute malicious scripts on the affected system. **Recommendations** For versions 5.3.9 and below, consider disabling access to the uploadConfirm.php file until a patch is available. Restrict the use of crafted plugins to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ametys CMS versions prior to 4.5.0 **Description** The auto-completion plugin in Ametys CMS allows a remote unauthenticated attacker to read documents, which contain all characters typed by all users, including the content of private pages. These documents may include sensitive information such as usernames, e-mail addresses, and possibly passwords. The attacker can access files like `plugins/web/service/search/auto-completion/<domain>/en.xml` and similar pathnames for other languages. **Recommendations** For Ametys CMS versions prior to 4.5.0, update to version 4.5.0 or later to resolve the issue. As a temporary workaround, consider disabling the auto-completion plugin until a patch is available. Restrict access to the `plugins/web/service/search/auto-completion` directory to minimize the risk of exploitation. Avoid using the auto-completion feature in sensitive areas of the application until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Adminer versions 1.12.0 through 4.6.2 **Description** The issue allows an attacker to achieve arbitrary file read on a remote server by requesting Adminer to connect to a remote MySQL database, due to improper access control. **Recommendations** For Adminer versions 1.12.0 through 4.6.2, update to version 4.6.3 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Telmat AccessLog versions prior to 6.0 (TAL 20180415) **Description** The issue allows an attacker to gain root shell access through unauthenticated code injection over the network, specifically targeting the login page. **Recommendations** For Telmat AccessLog versions prior to 6.0 (TAL 20180415), consider disabling the login page functionality until a patch is available to prevent unauthenticated code injection attacks.

**Name of the Vulnerable Software and Affected Versions** Telmat AccessLog versions prior to 6.0 (TAL 20180415) **Description** The issue concerns the ping page of the administration panel, where an authenticated code injection attack can be performed over the network, potentially leading to root shell access. **Recommendations** For Telmat AccessLog versions prior to 6.0 (TAL 20180415), update to a version newer than 6.0 to resolve the issue.