Román Medina-Heigl Hernández

**Name of the Vulnerable Software and Affected Versions** Virtual Hosting Control System (VHCS) versions 2.4.7.1 with v.1 patch and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `username`, which is recorded in a log file but not properly handled when the administrator uses the admin log utility to read the log file. **Recommendations** For Virtual Hosting Control System (VHCS) versions 2.4.7.1 with v.1 patch and earlier, consider disabling the admin log utility until a patch is available to prevent exploitation of the XSS issue via the `username` variable.

**Name of the Vulnerable Software and Affected Versions** Virtual Hosting Control System (VHCS) versions 2.4.7.1 and earlier **Description** The issue allows remote attackers to gain unauthorized access due to the lack of verification of the old password when a user changes their password. **Recommendations** For Virtual Hosting Control System (VHCS) versions 2.4.7.1 and earlier, update to a version that verifies the old password during the password change process to prevent unauthorized access.

**Name of the Vulnerable Software and Affected Versions** Virtual Hosting Control System (VHCS) versions 2.4.7.1 and earlier **Description** The issue concerns the check login function in login.php, which does not properly exit when authentication fails. This allows remote attackers to gain unauthorized access. **Recommendations** For Virtual Hosting Control System (VHCS) versions 2.4.7.1 and earlier, as a temporary workaround, consider disabling the check login function until a patch is available. Restrict access to the login.php module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Virtual Hosting Control System (VHCS) versions 2.4.7.1 and earlier **Description** The issue allows remote attackers to gain unauthorized access due to a lack of user privilege checks when adding new administrative users. **Recommendations** For Virtual Hosting Control System (VHCS) versions 2.4.7.1 and earlier, consider disabling the add user.php script until a patch is available to prevent unauthorized access. Restrict access to administrative user addition functionality to minimize the risk of exploitation.