Samrat Das

**Name of the Vulnerable Software and Affected Versions** Oracle E-Business Suite versions 12.2.6 through 12.2.9 **Description** The issue is related to inadequate access control in the Absence Recording and Maintenance components of Oracle Human Resources. It allows a low-privileged attacker with network access via HTTP to compromise Oracle Human Resources, requiring human interaction from someone other than the attacker. Successful attacks can result in unauthorized update, insert, or delete access to some of Oracle Human Resources' accessible data, potentially impacting additional products. **Recommendations** For versions 12.2.6 through 12.2.9, update to a version that includes the fix for this issue to prevent unauthorized access and data modification. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Frog CMS version 0.9.5 **Description** The issue is related to the lack of an anti-CSRF token in state modification requests, specifically in the "add user" functionality. This allows a malicious user to craft an HTML page that can trick a victim into creating a new user with admin privileges when clicked. The vulnerable endpoint is "/admin/?/user/add". **Recommendations** For Frog CMS version 0.9.5, consider implementing an anti-CSRF token in state modification requests to prevent cross-site request forgery attacks. As a temporary workaround, restrict access to the "/admin/?/user/add" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** October CMS versions through 1.0.431 The RainLab Blog Plugin used in October CMS versions through 1.0.431 **Description** The issue allows for XSS by entering HTML on the Add Posts page. This can be exploited through the RainLab Blog Plugin. **Recommendations** For October CMS versions through 1.0.431, update to a version that includes a fix for this issue. For The RainLab Blog Plugin used in October CMS versions through 1.0.431, consider disabling the plugin until a patch is available.

**Name of the Vulnerable Software and Affected Versions** FrontAccounting version 2.4.3 **Description** The issue concerns a CSRF flaw that allows adding a user account via the "add user" feature of the User Permissions page, accessible through the admin/users.php endpoint. **Recommendations** For FrontAccounting version 2.4.3, consider implementing CSRF protection measures to prevent unauthorized actions, such as adding a user account through the admin/users.php endpoint. As a temporary workaround, restrict access to the admin/users.php endpoint to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: WonderCMS version 2.3.1 Description: The issue concerns the upload functionality, which accepts random application extensions, leading to malicious file upload. Recommendations: For WonderCMS version 2.3.1, consider disabling the upload functionality until a patch is available to prevent malicious file uploads.

Name of the Vulnerable Software and Affected Versions: WonderCMS version 2.3.1 Description: The application's input fields accept arbitrary user input, resulting in the execution of malicious JavaScript. It is noted that the vendor disputes this issue, stating it is a feature that enables only a logged-in administrator to write and execute JavaScript anywhere on their website. Recommendations: For WonderCMS version 2.3.1, as a temporary workaround, consider restricting access to input fields to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: WonderCMS version 2.3.1 Description: The issue allows for an HTTP Host header injection attack. It utilizes user-entered values to redirect pages. The vendor notes that exploitation is unlikely since the attack can only originate from a local machine or from the administrator as a self-attack. Recommendations: For WonderCMS version 2.3.1, consider restricting the use of user-entered values in page redirects until a fix is available. As a temporary workaround, limit the ability to modify redirect pages to authorized personnel only.