Sahil Ojha

**Name of the Vulnerable Software and Affected Versions** issabel-pbx version 4.0.0-6 **Description** A Cross Site Request Forgery (CSRF) issue allows a remote attacker to cause a denial of service via the delete new virtual fax function. **Recommendations** For issabel-pbx version 4.0.0-6, consider disabling the delete new virtual fax function as a temporary workaround until a patch is available. Restrict access to this function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** issabel-pbx version 4.0.0-6 **Description** The issue allows a remote attacker to obtain sensitive information via the modules directory. **Recommendations** For issabel-pbx version 4.0.0-6, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Issabel PBX version 4 **Description** A stored cross site scripting (XSS) issue exists in the "index.php?menu=billing rates" endpoint of Issabel PBX, allowing attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `Name` or `Prefix` fields under the Create New Rate module. **Recommendations** For Issabel PBX version 4, as a temporary workaround, consider restricting access to the "index.php?menu=billing rates" endpoint until a patch is available. Avoid using the `Name` and `Prefix` fields in the Create New Rate module with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** issabel-pbx version 4.0.0-6 **Description** A Cross Site Request Forgery (CSRF) issue allows a remote attacker to cause a denial of service via a crafted script to the `deleteuser` function. This can lead to unauthorized actions being performed. **Recommendations** For issabel-pbx version 4.0.0-6, as a temporary workaround, consider disabling the `deleteuser` function until a patch is available. Restrict access to the affected function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Issabel issabel-pbx version 4.0.0-6 **Description** A stored cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Group` and `Description` parameters. **Recommendations** For Issabel issabel-pbx version 4.0.0-6, consider restricting input for the `Group` and `Description` parameters to prevent malicious payloads until a fix is available.

**Name of the Vulnerable Software and Affected Versions** issabel-pbx version 4.0.0-6 **Description** A Cross Site Request Forgery (CSRF) issue allows a remote attacker to cause a denial of service via the delete user grouplist function. This can lead to unintended actions being performed without the user's consent. **Recommendations** For issabel-pbx version 4.0.0-6, consider disabling the delete user grouplist function until a patch is available to prevent potential denial of service attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Issabel issabel-pbx version 4.0.0-6 **Description** A stored cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Virtual Fax Name` and `Caller ID Name` parameters under the New Virtual Fax feature. **Recommendations** For Issabel issabel-pbx version 4.0.0-6, consider disabling the New Virtual Fax feature until a patch is available to prevent exploitation of the stored cross-site scripting issue. Restrict access to the Virtual Fax Name and Caller ID Name parameters to minimize the risk of arbitrary web script or HTML execution.

**Name of the Vulnerable Software and Affected Versions** Issabel issabel-pbx version 4.0.0-6 **Description** A Cross Site Request Forgery (CSRF) issue allows a remote attacker to gain privileges by creating a new user function in the application via a custom CSRF exploit. **Recommendations** For Issabel issabel-pbx version 4.0.0-6, consider disabling the user creation function as a temporary workaround until a patch is available. Restrict access to the application to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Microworld Technologies eScan Management console version 14.0.1400.2281 **Description** A Cross Site Scripting issue allows a remote attacker to execute arbitrary code via a vulnerable parameter `GrpPath`. **Recommendations** For version 14.0.1400.2281, avoid using the parameter `GrpPath` in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microworld Technologies eScan Management console version 14.0.1400.2281 **Description** A Cross Site Scripting issue allows a remote attacker to execute arbitrary code via a crafted script to the `Description` parameter. **Recommendations** For version 14.0.1400.2281, avoid using the `Description` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microworld Technologies eScan Management console version 14.0.1400.2281 **Description** A Cross Site Scripting issue allows a remote attacker to execute arbitrary code via a crafted script to the `Dtltyp` and `ListName` parameters. **Recommendations** For version 14.0.1400.2281, consider restricting access to the `Dtltyp` and `ListName` parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Microworld Technologies eScan Management console version 14.0.1400.2281 **Description** A Cross Site Scripting issue allows a remote attacker to execute arbitrary JavaScript code via a vulnerable `delete file` parameter. This enables the attacker to perform unauthorized actions on the affected system. **Recommendations** For Microworld Technologies eScan Management console version 14.0.1400.2281, avoid using the `delete file` parameter in the affected API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the delete file functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microworld Technologies eScan management console version 14.0.1400.2281 **Description** The issue concerns a Reflected Cross Site Scripting (XSS) in the view dashboard detail feature, allowing a remote attacker to inject arbitrary code via the URL directly. This enables the attacker to execute malicious scripts on the victim's browser. **Recommendations** For Microworld Technologies eScan management console version 14.0.1400.2281, consider disabling the view dashboard detail feature until a patch is available to prevent exploitation. Restrict access to the affected feature to minimize the risk of arbitrary code injection. Avoid using the vulnerable URL directly in the view dashboard detail feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microworld Technologies eScan Management Console version 14.0.1400.2281 **Description** The issue allows any remote attacker to retrieve the password of any admin or normal user in plain text format through the `GetUserCurrentPwd` function. **Recommendations** For Microworld Technologies eScan Management Console version 14.0.1400.2281, consider disabling the `GetUserCurrentPwd` function until a patch is available to prevent potential exploitation.

**Name of the Vulnerable Software and Affected Versions** MicroWorld eScan Management Console version 14.0.1400.2281 **Description** The issue allows a remote attacker to perform SQL injection in the View User Profile feature, enabling them to dump the entire database and gain a Windows XP command shell. This can lead to code execution on the database server. The attack is carried out via the `GetUserCurrentPwd` endpoint with the `UsrId` parameter set to `1`, specifically `GetUserCurrentPwd?UsrId=1`. **Recommendations** For MicroWorld eScan Management Console version 14.0.1400.2281, consider disabling the `GetUserCurrentPwd` endpoint or restricting access to it until a patch is available. Avoid using the `UsrId` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** eScan management console version 14.0.1400.2281 **Description** The issue is related to Cross Site Scripting (XSS) in the edit user form, allowing a remote attacker to inject arbitrary code via the `from` parameter. This enables the attacker to execute malicious scripts on the victim's browser. **Recommendations** For version 14.0.1400.2281, consider disabling the edit user form functionality until a patch is available to prevent exploitation. Restrict access to the vulnerable form to minimize the risk of arbitrary code injection. Avoid using the `from` parameter in the affected form until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.