Security Curmudgeon

Name of the Vulnerable Software and Affected Versions: Simple Machines Forum (SMF) versions through 2.0.5 Description: The issue affects Simple Machines Forum, allowing for cross-site scripting (XSS) attacks. Recommendations: For versions through 2.0.5, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Cryptocat versions prior to 2.0.42 **Description** The issue concerns a weakness in the generation of ECC private keys for group chats, which could potentially be exploited through brute force. **Recommendations** For versions prior to 2.0.42, update to version 2.0.42 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Cryptocat versions prior to 2.0.22 **Description** The issue allows for arbitrary code execution on Firefox Conversation Overview. **Recommendations** For versions prior to 2.0.22, update to version 2.0.22 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Cryptocat versions prior to 2.0.22 **Description** The issue allows for a Remote Denial of Service via the `username`. **Recommendations** For versions prior to 2.0.22, update to version 2.0.22 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Cryptocat versions prior to 2.0.22 **Description** The issue is related to weak handling of HTML in the Link Markup Decorator. **Recommendations** For versions prior to 2.0.22, update to version 2.0.22 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Expinion.net iNews (iNP) Publisher versions 2.5 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `ex` parameter in the articles.asp file. Initial reports incorrectly identified this as a cross-site scripting (XSS) issue, but it was later determined to be a SQL injection vulnerability. The vulnerability was initially reported for News Manager, but evidence suggests that the correct affected product is Publisher. **Recommendations** For versions 2.5 and earlier, consider restricting access to the articles.asp file until a fix is available. As a temporary workaround, avoid using the `ex` parameter in the articles.asp file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: iNETstore Ebusiness Software version 2.0 Description: A cross-site scripting issue in the search.inetstore component allows remote attackers to inject arbitrary web script or HTML via the `searchterm` parameter in the "/search.inetstore" endpoint. This could lead to various malicious actions on the affected system. Recommendations: For iNETstore Ebusiness Software version 2.0, avoid using the `searchterm` parameter in the search.inetstore endpoint until the issue is resolved. As a temporary workaround, consider restricting access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.