Sathish

**Name of the Vulnerable Software and Affected Versions** Fast Secure Contact Form plugin versions prior to 4.0.38 **Description** The issue allows for XSS, specifically through the `fs contact form1[welcome]` parameter. **Recommendations** For versions prior to 4.0.38, update to version 4.0.38 or later to resolve the issue. As a temporary workaround, consider restricting access to the `fs contact form1[welcome]` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NextGEN Gallery plugin versions prior to 2.1.10 **Description** The issue involves multiple XSS problems related to parameters such as `thumbnail width`, `thumbnail height`, `thumbwidth`, `thumbheight`, `wmXpos`, and `wmYpos`, as well as template issues. **Recommendations** For versions prior to 2.1.10, update to version 2.1.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected parameters and template until the update is applied. Avoid using the parameters `thumbnail width`, `thumbnail height`, `thumbwidth`, `thumbheight`, `wmXpos`, and `wmYpos` in the affected template until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** NETGEAR JNR1010 devices versions prior to 1.0.0.32 **Description** The issue allows for XSS attacks through the `webproc?getpage=` endpoint. **Recommendations** For versions prior to 1.0.0.32, update to version 1.0.0.32 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Blubrry PowerPress Podcasting plugin version 6.0.4 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. It occurs via the `tab` parameter. There is no information provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** For version 6.0.4, avoid using the `tab` parameter in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WSO2 Data Analytics Server version 3.1.0 **Description** The issue concerns a security problem where an attacker can inject malicious scripts. This is possible through the `collectionName` or `parentPath` parameter in the "carbon/resources/add collection ajaxprocessor.jsp" endpoint. **Recommendations** For WSO2 Data Analytics Server version 3.1.0, consider restricting access to the "carbon/resources/add collection ajaxprocessor.jsp" endpoint until a patch is available, and avoid using the `collectionName` or `parentPath` parameters in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Crony Cronjob Manager plugin versions prior to 0.4.7 **Description** The issue concerns a CSRF vulnerability via the `name` parameter in an "action=manage&do=create" operation. This can be exploited to insert XSS sequences. **Recommendations** For versions prior to 0.4.7, update to version 0.4.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the "action=manage&do=create" operation to minimize the risk of exploitation. Avoid using the `name` parameter in the affected operation until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** BulletProof Security plugin versions prior to .52.5 **Description** The issue allows for XSS to be possible for remote authenticated administrators via the `DBTablePrefix` parameter in the admin/db-backup-security/db-backup-security.php page. **Recommendations** For versions prior to .52.5, update to version .52.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the admin/db-backup-security/db-backup-security.php page to minimize the risk of exploitation. Avoid using the `DBTablePrefix` parameter in the affected page until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Photocrati NextGEN Gallery plugin version 2.1.15 **Description** The issue allows for XSS, which is possible for remote authenticated administrators. This occurs via the `images[1][alttext]` parameter in the nggallery-manage-gallery page. **Recommendations** For Photocrati NextGEN Gallery plugin version 2.1.15, consider restricting access to the nggallery-manage-gallery page until a patch is available. As a temporary workaround, avoid using the `images[1][alttext]` parameter in the affected page to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Photocrati NextGEN Gallery plugin version 2.1.10 **Description** The issue concerns unrestricted file upload in the Photocrati NextGEN Gallery plugin for WordPress. This is achieved by modifying the file extension, for example, from .jpg to .php, using the `name` parameter in post-new.php. **Recommendations** For version 2.1.10, consider restricting file uploads to only allowed extensions to prevent potential exploitation. As a temporary workaround, restrict access to the post-new.php file until a patch is available. Avoid using the `name` parameter in the affected endpoint until the issue is resolved.