Rikuto Tauchi

Name of the Vulnerable Software and Affected Versions: Group-Office versions prior to 6.8.119 Group-Office versions prior to 25.0.20 Description: Group-Office is susceptible to a cross-site scripting issue. Successful exploitation of this issue could allow for the execution of arbitrary scripts within a user's web browser. Recommendations: Update Group-Office to version 6.8.119 or later. Update Group-Office to version 25.0.20 or later.

Name of the Vulnerable Software and Affected Versions: Group-Office versions prior to 6.8.119 Group-Office versions prior to 25.0.20 Description: Group-Office is susceptible to a path traversal vulnerability. Exploitation of this issue may lead to the exposure of information on the server hosting the product. Recommendations: Update Group-Office to version 6.8.119 or later. Update Group-Office to version 25.0.20 or later.

Name of the Vulnerable Software and Affected Versions: LuxCal Web Calendar versions prior to 5.3.3M (MySQL version) LuxCal Web Calendar versions prior to 5.3.3L (SQLite version) Description: The issue concerns an SQL injection vulnerability in the retrieve.php file. If exploited, this vulnerability may allow information in a database to be deleted, altered, or retrieved. Recommendations: For versions prior to 5.3.3M (MySQL version), update to version 5.3.3M or later. For versions prior to 5.3.3L (SQLite version), update to version 5.3.3L or later. As a temporary workaround, consider restricting access to the retrieve.php file until a patch is applied.

Name of the Vulnerable Software and Affected Versions: LuxCal Web Calendar versions prior to 5.3.3M (MySQL version) LuxCal Web Calendar versions prior to 5.3.3L (SQLite version) Description: The issue concerns an SQL injection vulnerability in the pdf.php file. If exploited, this vulnerability may allow information in a database to be deleted, altered, or retrieved. Recommendations: For versions prior to 5.3.3M (MySQL version), update to version 5.3.3M or later. For versions prior to 5.3.3L (SQLite version), update to version 5.3.3L or later. As a temporary workaround, consider restricting access to the pdf.php file until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** a-blog cms versions 3.0.x through 3.0.31 a-blog cms versions 3.1.x through 3.1.11 **Description** A code injection issue exists, allowing a user with administrator or higher privilege who can log in to the product to execute an arbitrary command on the server if the vulnerability is exploited. **Recommendations** For versions 3.0.x through 3.0.31, update to version 3.0.32 or later. For versions 3.1.x through 3.1.11, update to version 3.1.12 or later.

**Name of the Vulnerable Software and Affected Versions** a-blog cms versions prior to 3.1.12 a-blog cms versions prior to 3.0.32 a-blog cms versions prior to 2.11.61 a-blog cms versions prior to 2.10.53 a-blog cms version 2.9 and earlier **Description** A cross-site scripting vulnerability exists in a-blog cms. If this issue is exploited, a user with contributor or higher privilege who can log in to the product may execute an arbitrary script on the web browser of the user who accessed the website using the product. **Recommendations** For versions prior to 3.1.12, update to version 3.1.12 or later. For versions prior to 3.0.32, update to version 3.0.32 or later. For versions prior to 2.11.61, update to version 2.11.61 or later. For versions prior to 2.10.53, update to version 2.10.53 or later. For version 2.9 and earlier, update to a later version.

**Name of the Vulnerable Software and Affected Versions** a-blog cms versions prior to 3.1.12 a-blog cms versions prior to 3.0.32 a-blog cms versions prior to 2.11.61 a-blog cms versions prior to 2.10.53 a-blog cms version 2.9 and earlier **Description** A directory traversal vulnerability exists in a-blog cms, allowing a user with editor or higher privilege who can log in to the product to obtain arbitrary files on the server if the vulnerability is exploited. **Recommendations** For versions prior to 3.1.12, update to version 3.1.12 or later. For versions prior to 3.0.32, update to version 3.0.32 or later. For versions prior to 2.11.61, update to version 2.11.61 or later. For versions prior to 2.10.53, update to version 2.10.53 or later. For version 2.9 and earlier, update to a later version.

**Name of the Vulnerable Software and Affected Versions** a-blog cms versions prior to 3.1.12 a-blog cms versions prior to 3.0.32 a-blog cms versions prior to 2.11.61 a-blog cms versions prior to 2.10.53 a-blog cms version 2.9 and earlier **Description** A cross-site scripting issue exists, allowing a user with editor or higher privilege who can log in to the product to execute an arbitrary script on the web browser of the user who accessed the schedule management page. **Recommendations** For versions prior to 3.1.12, update to version 3.1.12 or later. For versions prior to 3.0.32, update to version 3.0.32 or later. For versions prior to 2.11.61, update to version 2.11.61 or later. For versions prior to 2.10.53, update to version 2.10.53 or later. For version 2.9 and earlier, update to a later version.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions 9.0.0 through 9.2.7 Concrete CMS versions prior to 8.5.16 **Description** The issue concerns a Stored XSS vulnerability on the calendar color settings screen. This occurs because user input is output without proper escaping, allowing a rogue administrator to inject malicious JavaScript into the Calendar Color Settings screen. This malicious code might be executed when users visit the affected page. **Recommendations** For Concrete CMS versions 9.0.0 through 9.2.7, update to version 9.2.8 or later. For Concrete CMS versions prior to 8.5.16, update to version 8.5.16 or later. As a temporary workaround, consider restricting access to the calendar color settings screen to minimize the risk of exploitation.