Seqode

**Name of the Vulnerable Software and Affected Versions** Windows Connected Devices Platform Service (Cdpsvc) (affected versions not specified) **Description** The issue is related to an uncontrolled consumption of resources in the Windows Connected Devices Platform Service (Cdpsvc) component of the Microsoft Windows operating system. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Custom Field Suite plugin for WordPress versions up to, and including, 2.6.5 **Description** The issue is related to Stored Cross-Site Scripting via the `cfs[fields][*][name]` parameter due to insufficient input sanitization and output escaping. This allows authenticated attackers with administrator-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The issue only affects multi-site installations and installations where unfiltered html has been disabled. **Recommendations** For versions up to, and including, 2.6.5, update to a version later than 2.6.5 to resolve the issue. As a temporary workaround, consider restricting access to the `cfs[fields][*][name]` parameter to minimize the risk of exploitation. Additionally, ensure that unfiltered html is enabled, if possible, to reduce the attack surface.

**Name of the Vulnerable Software and Affected Versions** Elementor ImageBox plugin for WordPress versions up to, and including, 1.2.8 **Description** The issue is related to Stored Cross-Site Scripting via the image box widget due to insufficient input sanitization and output escaping on user-supplied attributes. This allows authenticated attackers with contributor-level access and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. **Recommendations** For versions up to, and including, 1.2.8, update to a version higher than 1.2.8 to resolve the issue. As a temporary workaround, consider restricting access to the image box widget for users with contributor-level access and above until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Piwigo versions prior to 14.0.0beta4 **Description** A reflected cross-site scripting (XSS) issue is present in the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin id=[here]` page. This issue allows an attacker to inject malicious HTML and JS code into the HTML page, which could then be executed by admin users when they visit the URL with the payload. The issue is caused by the insecure injection of the `plugin id` value from the URL into the HTML page. An attacker can exploit this issue by crafting a malicious URL that contains a specially crafted `plugin id` value. Only users who are logged in as administrators are affected, as the issue is only present on the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin id=[here]` page, which is only accessible to administrators. **Recommendations** For versions prior to 14.0.0beta4, update to version 14.0.0beta4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/admin.php?page=plugins&tab=new&installstatus=ok&plugin id=[here]` page to minimize the risk of exploitation. Avoid using the `plugin id` parameter in the affected API endpoint until the issue is resolved.