Sebastian Jeż

**Name of the Vulnerable Software and Affected Versions** Times Software E-Payroll (affected versions not specified) **Description** The application does not properly sanitize data received in POST parameters during the login process, potentially allowing an unauthenticated attacker to perform Denial-of-Service (DoS) attacks. While SQL injection attacks are possible, backend filtering mechanisms may currently prevent successful exploitation. Command injection attempts result in the application displaying detailed error messages that reveal information about the internal infrastructure. The vendor has not responded to inquiries regarding patching status. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JDownloads versions 1.0.0 through 4.0.47 **Description** The JDownloads component for Joomla is susceptible to multiple Cross-Site Request Forgery (CSRF) attacks. These attacks could allow an attacker to perform actions on behalf of an authenticated user without their knowledge or consent. **Recommendations** Update JDownloads to a version newer than 4.0.47.

Name of the Vulnerable Software and Affected Versions: Quantum Manager versions 1.0.0 through 3.2.0 Description: A stored cross-site scripting (XSS) issue exists in the Quantum Manager component for Joomla. File names are not properly escaped, which could allow for malicious code execution. Recommendations: Quantum Manager versions 1.0.0 through 3.2.0: Ensure proper escaping of file names to prevent the injection of malicious scripts.

Name of the Vulnerable Software and Affected Versions: Quantum Manager versions 1.0.0 through 3.2.0 Description: A stored cross-site scripting (XSS) issue was identified in the Quantum Manager component for Joomla. The SVG upload feature does not properly sanitize uploaded files, allowing for the injection of persistent scripts. Recommendations: Quantum Manager version 3.2.0 and earlier: Ensure all SVG uploads are properly sanitized to prevent the injection of malicious code.

Name of the Vulnerable Software and Affected Versions: Phoca Commander versions 1.0.0 through 4.0.0 Phoca Commander versions 5.0.0 through 5.0.1 Description: An authenticated remote code execution issue exists in Phoca Commander for Joomla. The issue allows code execution via the unzip feature. Recommendations: Update Phoca Commander to a version newer than 4.0.0. Update Phoca Commander to a version newer than 5.0.1.

Name of the Vulnerable Software and Affected Versions: DJ-Classifieds versions 3.9.2 through 3.10.1 Description: A SQL injection issue exists in DJ-Classifieds, allowing privileged users to execute arbitrary SQL commands. Recommendations: Update DJ-Classifieds to a version newer than 3.10.1.

**Name of the Vulnerable Software and Affected Versions** No Boss Testimonials versions 1.0.0 through 3.0.0 No Boss Testimonials versions 4.0.0 through 4.0.2 **Description** A stored Cross-Site Scripting (XSS) issue exists in the No Boss Testimonials component. This allows an attacker to inject malicious scripts into the application, potentially compromising user accounts or performing unauthorized actions. **Recommendations** Update No Boss Testimonials to a version later than 3.0.0 and earlier than 4.0.0. Update No Boss Testimonials to a version later than 4.0.2.

**Name of the Vulnerable Software and Affected Versions** CommentBox versions 1.0.0 through 1.1.0 **Description** A stored cross-site scripting (XSS) issue exists in the CommentBox component. This allows for the injection of malicious scripts into the application through the component. **Recommendations** Update CommentBox to a version later than 1.1.0.

**Name of the Vulnerable Software and Affected Versions** Joomla CComment component versions 5.0.0 through 6.1.14 **Description** A stored cross-site scripting (XSS) issue exists in the CComment component. This allows an attacker to inject malicious scripts into the application, potentially compromising user accounts or website data. **Recommendations** Update the CComment component to a version later than 6.1.14.

**Name of the Vulnerable Software and Affected Versions** ProFiles versions 1.0 through 1.5.0 **Description** A stored Cross-Site Scripting (XSS) issue exists in the ProFiles component. This allows for the injection of malicious scripts into the application, potentially compromising user accounts and data. **Recommendations** Update ProFiles to a version later than 1.5.0.

**Name of the Vulnerable Software and Affected Versions** DJ-Reviews versions 1.0 through 1.3.6 **Description** A Reflected Cross-Site Scripting (XSS) issue exists in the DJ-Reviews component for Joomla. This allows an attacker to inject malicious scripts into a web page viewed by other users. **Recommendations** Update DJ-Reviews to a version later than 1.3.6.

**Name of the Vulnerable Software and Affected Versions** Komento versions 4.0.0 through 4.0.7 **Description** A SQL injection flaw exists in the Komento component for Joomla. This issue permits unprivileged users to execute arbitrary SQL commands. **Recommendations** Update Komento to a version newer than 4.0.7.

**Name of the Vulnerable Software and Affected Versions** DJ-Flyer versions 1.0 through 3.2 **Description** A SQL injection issue exists in the DJ-Flyer component. The vulnerability allows privileged users to execute arbitrary SQL commands. **Recommendations** Update DJ-Flyer to a version later than 3.2.

**Name of the Vulnerable Software and Affected Versions** Eura7 CMSmanager versions 4.6 and below **Description** The issue is related to Reflected XSS attacks, which can be triggered through manipulation of the `return` GET request parameter sent to a specific endpoint. **Recommendations** For Eura7 CMSmanager versions 4.6 and below, apply patch 17012022 to address the vulnerability. As a temporary workaround, consider restricting access to the vulnerable endpoint until the patch is applied. Avoid using the `return` parameter in the affected endpoint until the issue is resolved.