Rodolfo Tavares

**Name of the Vulnerable Software and Affected Versions** Bruno versions prior to 1.29.1 **Description** The issue arises from Bruno's use of Electron's `shell.openExternal` function without proper validation of URLs, specifically `http` or `https`, when opening windows within the Markdown docs viewer. This lack of validation can lead to unvalidated URL handling. **Recommendations** For versions prior to 1.29.1, update to version 1.29.1 or later to resolve the issue. As a temporary workaround, consider disabling the use of Electron's `shell.openExternal` function within the Markdown docs viewer until a patch is available. Restrict access to the Markdown docs viewer to minimize the risk of exploitation. Avoid using unvalidated URLs in the affected viewer until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Lumisxp versions 15.0.x through 16.1.x **Description** A cross-site scripting (XSS) issue in the XsltResultControllerHtml.jsp component allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `lumPageID` parameter. **Recommendations** For Lumisxp versions 15.0.x through 16.1.x, consider restricting access to the XsltResultControllerHtml.jsp component until a patch is available. As a temporary workaround, avoid using the `lumPageID` parameter in the affected component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Lumisxp versions 15.0.x through 16.1.x **Description** A cross-site scripting (XSS) issue in the UrlAccessibilityEvaluation.jsp component allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `contentHtml` parameter. **Recommendations** For Lumisxp versions 15.0.x through 16.1.x, consider restricting access to the UrlAccessibilityEvaluation.jsp component until a patch is available. As a temporary workaround, avoid using the `contentHtml` parameter in the affected component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Lumisxp versions 15.0.x through 16.1.x **Description** A cross-site scripting (XSS) issue in the main.jsp component allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `pageId` parameter. **Recommendations** For Lumisxp versions 15.0.x through 16.1.x, consider restricting access to the main.jsp component until a patch is available, and avoid using the `pageId` parameter in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Lumisxp versions 15.0.x through 16.1.x **Description** A hardcoded privileged ID allows attackers to bypass authentication and access internal pages and other sensitive information. **Recommendations** For Lumisxp versions 15.0.x through 16.1.x, consider temporarily restricting access to internal pages until a patch is available. As a temporary workaround, avoid using the hardcoded privileged ID in authentication processes until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Migration, Backup, Staging WordPress plugin versions prior to 0.9.76 **Description** The issue allows high privilege users to read any file from the web server via a Traversal attack due to the plugin not sanitising and validating a parameter before using it to read the content of a file. **Recommendations** For versions prior to 0.9.76, update to version 0.9.76 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive files on the web server until the update is applied.