Quirmz

**Name of the Vulnerable Software and Affected Versions** SuiteCRM versions prior to 7.15.1 SuiteCRM versions prior to 8.9.3 **Description** SuiteCRM is an open-source Customer Relationship Management (CRM) software application. A Denial-of-Service (DoS) issue exists in SuiteCRM modules. **Recommendations** Update to SuiteCRM version 7.15.1 or later. Update to SuiteCRM version 8.9.3 or later.

**Name of the Vulnerable Software and Affected Versions** SuiteCRM versions prior to 7.15.1 SuiteCRM versions prior to 8.9.3 **Description** SuiteCRM is an open-source Customer Relationship Management (CRM) software application. Before versions 7.15.1 and 8.9.3, an Authenticated Remote Code Execution (RCE) issue exists in SuiteCRM modules. This allows for the potential execution of arbitrary code on a remote system. **Recommendations** Update to SuiteCRM version 7.15.1 or later. Update to SuiteCRM version 8.9.3 or later.

**Name of the Vulnerable Software and Affected Versions** FreePBX versions prior to 16.0.49 FreePBX versions prior to 17.0.7 **Description** FreePBX module cdr (Call Data Record) is susceptible to SQL query injection. The issue allows for potential manipulation of database queries through crafted input. **Recommendations** Update to FreePBX version 16.0.49 or later. Update to FreePBX version 17.0.7 or later.

**Name of the Vulnerable Software and Affected Versions** LibreNMS versions 25.12.0 and below **Description** LibreNMS, an auto-discovering PHP/MySQL/SNMP based network monitoring tool, contains a Stored Cross-Site Scripting (XSS) issue in the Alert Rules workflow. An attacker with administrative privileges can inject malicious scripts that execute in the browser context of any user who accesses the Alert Rules page. This allows for the execution of arbitrary code within a user's browser session. **Recommendations** Update to version 26.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** LibreNMS versions 25.12.0 and below **Description** LibreNMS is a network monitoring tool. A Time-Based Blind SQL Injection exists in the `address-search.inc.php` file via the `address` parameter. Supplying a crafted subnet prefix allows manipulation of SQL query logic and inference of database information through time-based conditional responses. This requires authentication and is exploitable by any authenticated user. The API endpoint involved is `address-search.inc.php`. The vulnerable parameter is `address`. **Recommendations** Update to version 26.2.0 or later.

**Name of the Vulnerable Software and Affected Versions** ClipBucket versions 5.5.2 through 5.5.2-#187 **Description** ClipBucket v5 is a video sharing platform susceptible to a Blind SQL Injection issue. The flaw exists within the add comment section of a channel. An attacker can exploit this by sending a POST request to the `/actions/ajax.php` endpoint. The `obj id` parameter within this request is used in the `user exists` function of the `upload/includes/classes/user.class.php` file, specifically as the `$id` parameter. This `$id` parameter is then used in the `count` function of the `upload/includes/classes/db.class.php` file. The parameter is incorporated into a query without proper validation or sanitization, allowing a crafted input like `1' or 1=1-- -` to trigger the injection. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.