Rastating

**Name of the Vulnerable Software and Affected Versions** Gila CMS versions prior to 1.11.5 **Description** The issue allows an attacker to upload a file with a dangerous type via the moveAction function in core/controllers/fm.php. This can be achieved by using the admin/media upload and fm/move endpoints. **Recommendations** For versions prior to 1.11.5, update to version 1.11.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the moveAction function in core/controllers/fm.php to minimize the risk of exploitation. Avoid using the admin/media upload and fm/move endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Gila CMS versions prior to 1.11.5 **Description** The issue allows for XSS in blog-list.php, affecting both the gila-blog and gila-mag themes, via the `search` parameter. **Recommendations** For versions prior to 1.11.5, update to version 1.11.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the `search` parameter in the affected API endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Bludit versions 3.2.9 through 3.9.2 **Description** The issue allows attackers to bypass a brute-force protection mechanism by using many different forged X-Forwarded-For or Client-IP HTTP headers. This can be exploited by sending requests with varying `X-Forwarded-For` or `Client-IP` headers to the affected system. **Recommendations** For versions 3.2.9 through 3.9.2, consider temporarily disabling the authentication mechanism that relies on the `X-Forwarded-For` or `Client-IP` headers until a patch is available. Restrict access to the `security.class.php` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BTITeam XBTIT version 2.5.4 **Description** An issue was discovered in the sign-up page available at /index.php?page=signup, where the `act` parameter is vulnerable to reflected cross-site scripting. **Recommendations** For version 2.5.4, consider restricting access to the sign-up page or validating and sanitizing the `act` parameter to prevent cross-site scripting attacks. As a temporary workaround, avoid using the `act` parameter in the /index.php?page=signup endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** BTITeam XBTIT version 2.5.4 **Description** An issue was discovered in the search function available at "/index.php?page=forums&action=search", where the `keywords` parameter is vulnerable to reflected cross-site scripting. **Recommendations** For BTITeam XBTIT version 2.5.4, consider restricting access to the search function or avoiding the use of the `keywords` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BTITeam XBTIT version 2.5.4 **Description** An issue was discovered where the hashed passwords stored in the `xbtit users` table are stored as unsalted MD5 hashes. This makes it easier for attackers to obtain cleartext values via a brute-force attack. **Recommendations** For BTITeam XBTIT version 2.5.4, consider updating the password storage mechanism to use a salted hashing algorithm to mitigate the risk of brute-force attacks. As a temporary workaround, restrict access to the `xbtit users` table to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** BTITeam XBTIT (affected versions not specified) **Description** An issue was discovered due to a lack of cross-site request forgery protection, making it possible to automate the action of sending private messages to users by luring an authenticated user to a web page that automatically submits a form on their behalf. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BTITeam XBTIT (affected versions not specified) **Description** An issue was discovered where the `returnto` parameter of the login page is vulnerable to an open redirect due to a lack of validation. If a user is already logged in when accessing the page, they will be instantly redirected. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BTITeam XBTIT (affected versions not specified) **Description** An issue in BTITeam XBTIT allows PHP error logs to be stored in an open directory (/include/logs) with predictable file names. This can lead to full path disclosure and the leakage of sensitive data. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BTITeam XBTIT version 2.5.4 **Description** An issue was discovered that allows XSS via the `id` parameter in the "news.php" endpoint. **Recommendations** For BTITeam XBTIT version 2.5.4, consider restricting access to the `id` parameter in the "news.php" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** BTITeam XBTIT version 2.5.4 **Description** An issue was discovered where the password hash of a user is rehashed using a predictable salt and stored in the `pass` cookie, which is not flagged as HTTPOnly. This allows an attacker who steals the cookie to efficiently brute-force it and retrieve the user's cleartext password. **Recommendations** For BTITeam XBTIT version 2.5.4, consider disabling the storage of password hashes in the `pass` cookie until a patch is available. Restrict access to sensitive areas of the application to minimize the risk of exploitation. Avoid using predictable salts for password hashing. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BTITeam XBTIT (affected versions not specified) **Description** An issue was discovered that allows bypassing the anti-XSS mechanism in includes/crk protection.php. This is achieved by utilizing String.replace and eval, enabling the circumvention of the protection that normally looks for dangerous fingerprints. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BTITeam XBTIT version 2.5.4 **Description** The issue concerns a stored XSS exploit via the title of a news item in the newsfeed, accessible through the API endpoint "/index.php?page=viewnews". This exploit is also possible through CSRF. **Recommendations** For version 2.5.4, consider restricting access to the newsfeed feature until a patch is available, and avoid using the title field in news items to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Dedos-web version 1.0 **Description** The issue concerns hardcoded cookie and session secrets in the Express.js application, which are visible in the source code. An attacker can exploit this by editing the session cookie contents and re-signing it using the hardcoded secret, potentially leading to privilege escalation due to the use of Passport.js. **Recommendations** For Dedos-web version 1.0, consider regenerating and securely storing unique cookie and session secrets to prevent unauthorized access and privilege escalation. As a temporary workaround, restrict access to sensitive areas of the application to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** GamerPolls version 0.4.6 **Description** An issue was discovered related to the files config/environments/all.js and config/initializers/02 passport.js. An attacker can edit the Passport.js contents of the session cookie to contain the ID number of the account they wish to take over, and re-sign it using the hard-coded secret. **Recommendations** For GamerPolls version 0.4.6, consider disabling the use of the hard-coded secret in config/environments/all.js and config/initializers/02 passport.js as a temporary workaround until a patch is available. Restrict access to editing the Passport.js contents of the session cookie to minimize the risk of exploitation.