Seongil-Wio

**Name of the Vulnerable Software and Affected Versions** safe-eval versions all versions **Description** The issue arises from improper input sanitization, leading to a Sandbox Bypass vulnerability. This vulnerability is derived from prototype pollution exploitation and may result in remote code execution (RCE). Vulnerable functions include ` defineGetter `, `stack()`, `toLocaleString()`, `propertyIsEnumerable.call()`, and `valueOf()`. **Recommendations** For all versions, consider disabling the vulnerable functions ` defineGetter `, `stack()`, `toLocaleString()`, `propertyIsEnumerable.call()`, and `valueOf()` as a temporary workaround until a patch is available. Restrict input to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** bugs versions 1.8 and below **Description** The issue is a cross-site scripting (XSS) vulnerability in the install/index.php file. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `last name` parameter. **Recommendations** For versions 1.8 and below, consider restricting access to the install/index.php file until a patch is available. As a temporary workaround, avoid using the `last name` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** bugs versions 1.8 and below **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `email` parameter in the install/index.php file. This enables attackers to perform cross-site scripting (XSS) attacks. **Recommendations** For versions 1.8 and below, consider restricting access to the install/index.php file until a patch is available. As a temporary workaround, avoid using the `email` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** bugs versions 1.8 and below **Description** The issue is a cross-site scripting (XSS) vulnerability in the install/index.php file. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `first name` parameter. **Recommendations** For versions 1.8 and below, consider restricting access to the install/index.php file until a patch is available. As a temporary workaround, avoid using the `first name` parameter in the affected file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** infaveo-helpdesk versions 1.11.0 and below **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `$ SERVER["PHP SELF"]` parameter in the dompdf/dompdf/www/demo.php file. This enables attackers to execute malicious scripts on the victim's browser. **Recommendations** For versions 1.11.0 and below, consider restricting access to the demo.php file until a patch is available. As a temporary workaround, avoid using the `$ SERVER["PHP SELF"]` parameter in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** getID3 versions 1.X through 2.0.0-beta **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `showtagfiles` parameter in demos/demo.mysqli.php. This enables attackers to execute malicious scripts on the victim's browser. **Recommendations** For getID3 versions 1.X through 2.0.0-beta, consider disabling the `showtagfiles` parameter in the demos/demo.mysqli.php file until a patch is available. Restrict access to the demos/demo.mysqli.php file to minimize the risk of exploitation. Avoid using the `showtagfiles` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Spotify-for-Alfred versions 0.13.9 and below **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `error` parameter in callback.php. This enables attackers to execute malicious scripts on the victim's browser. **Recommendations** For versions 0.13.9 and below, consider disabling access to the callback.php file until a patch is available. Restrict input for the `error` parameter to prevent injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** FlexTV beta development version **Description** The issue is related to a cross-site scripting (XSS) vulnerability in the index.php file of FlexTV. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `PHP SELF` parameter. **Recommendations** For FlexTV beta development version, consider restricting access to the `index.php` file until a patch is available. As a temporary workaround, avoid using the `PHP SELF` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** spotweb versions 1.5.1 and below **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `newpassword2` parameter in the templates/installer/step-004.inc.php file. This enables cross-site scripting (XSS) attacks. **Recommendations** For spotweb versions 1.5.1 and below, consider disabling access to the templates/installer/step-004.inc.php file until a patch is available. Avoid using the `newpassword2` parameter in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** spotweb versions 1.5.1 and below **Description** The issue is a cross-site scripting (XSS) vulnerability in the templates/installer/step-004.inc.php file. This allows remote attackers to inject arbitrary web script or HTML via the `firstname` parameter. **Recommendations** For spotweb versions 1.5.1 and below, consider restricting access to the templates/installer/step-004.inc.php file until a patch is available. As a temporary workaround, avoid using the `firstname` parameter in the affected template to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Detector versions 0.8.5 and below **Description** The issue is a cross-site scripting (XSS) vulnerability in the contactform.inc.php file. This allows remote attackers to inject arbitrary web script or HTML via the `cid` parameter. **Recommendations** For Detector versions 0.8.5 and below, consider disabling the contactform.inc.php file or restricting access to it until a patch is available. Avoid using the `cid` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** spotweb versions 1.5.1 and below **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `newpassword1` parameter in the templates/installer/step-004.inc.php file. **Recommendations** For spotweb versions 1.5.1 and below, consider restricting access to the vulnerable `newpassword1` parameter in the templates/installer/step-004.inc.php file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** spotweb versions 1.5.1 and below **Description** The issue is a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML. This is achieved via the `mail` parameter in the templates/installer/step-004.inc.php file. **Recommendations** For spotweb versions 1.5.1 and below, as a temporary workaround, consider restricting access to the `mail` parameter in the affected template until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** spotweb versions 1.5.1 and below **Description** The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote attackers to inject arbitrary web script or HTML via the `lastname` parameter in the templates/installer/step-004.inc.php file. This can be exploited by sending malicious input to the affected endpoint. **Recommendations** For spotweb versions 1.5.1 and below, consider restricting access to the templates/installer/step-004.inc.php file until a patch is available. As a temporary workaround, avoid using the `lastname` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** concrete5-legacy versions 5.6.4.0 and below **Description** The issue is a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML via the `mode` parameter in the concrete/elements/collection add.php file. This enables attackers to execute malicious scripts on the victim's browser. **Recommendations** For versions 5.6.4.0 and below, consider disabling access to the concrete/elements/collection add.php file until a patch is available. As a temporary workaround, restrict the use of the `mode` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** concrete5-legacy versions 5.6.4.0 and below **Description** The issue is a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML via the `ctID` parameter in the concrete/elements/collection add.php file. This enables attackers to execute malicious scripts on the victim's browser. **Recommendations** For concrete5-legacy versions 5.6.4.0 and below, consider disabling access to the concrete/elements/collection add.php file until a patch is available. As a temporary workaround, restrict the use of the `ctID` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** concrete5-legacy versions 5.6.4.0 and below **Description** The issue is a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML. This is achieved via the `cID` parameter in the toos/permissions/dialogs/access/entity/types/group combination.php file. **Recommendations** For concrete5-legacy versions 5.6.4.0 and below, consider disabling access to the group combination.php file until a patch is available. Restrict input for the `cID` parameter to prevent injection of malicious scripts.

**Name of the Vulnerable Software and Affected Versions** concrete5-legacy versions 5.6.4.0 and below **Description** The issue is a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML via the `rel` parameter in the concrete/elements/collection add.php file. This enables attackers to execute malicious scripts on the victim's browser. **Recommendations** For concrete5-legacy versions 5.6.4.0 and below, consider disabling access to the concrete/elements/collection add.php file until a patch is available. Restrict the use of the `rel` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** concrete5-legacy versions 5.6.4.0 and below **Description** The issue is a cross-site scripting (XSS) vulnerability that allows remote attackers to inject arbitrary web script or HTML via the `rel` parameter in the concrete/elements/collection theme.php file. This enables attackers to potentially execute malicious scripts on the victim's browser. **Recommendations** For concrete5-legacy versions 5.6.4.0 and below, consider disabling access to the concrete/elements/collection theme.php file until a patch is available. Restrict input for the `rel` parameter to prevent injection of malicious scripts. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** JustWriting versions 1.0.0 and below **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `challenge` parameter in the application/controllers/dropbox.php file. **Recommendations** For JustWriting versions 1.0.0 and below, avoid using the `challenge` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.