Shin24

**Name of the Vulnerable Software and Affected Versions** Drupal core versions 8.0.0 through 10.3.12 Drupal core versions 10.4.0 through 10.4.2 Drupal core versions 11.0.0 through 11.0.11 Drupal core versions 11.1.0 through 11.1.2 **Description** The issue is related to an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability, which allows Object Injection in Drupal core. **Recommendations** For versions 8.0.0 through 10.3.12, update to version 10.3.13 or later. For versions 10.4.0 through 10.4.2, update to version 10.4.3 or later. For versions 11.0.0 through 11.0.11, update to version 11.0.12 or later. For versions 11.1.0 through 11.1.2, update to version 11.1.3 or later.

**Name of the Vulnerable Software and Affected Versions** Apache OFBiz versions prior to 18.12.16 **Description** The issue is a Direct Request ('Forced Browsing') vulnerability in Apache OFBiz, which could allow attackers to execute arbitrary code on vulnerable Linux and Windows servers. This vulnerability has been actively exploited by hackers, with over 25,000 requests targeting 4,000 unique sites detected by Imperva. The vulnerability allows for unauthenticated remote code execution. **Recommendations** Apache OFBiz versions prior to 18.12.16: Upgrade to version 18.12.16 to prevent attacks. As a temporary workaround, consider restricting access to vulnerable modules or functions until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.38 **Description** The backup management module of the Admin CP in MyBB may accept `.htaccess` as the name of the backup file to be deleted, potentially exposing stored backup files over HTTP on Apache servers. **Recommendations** For MyBB versions prior to 1.8.38, upgrade to MyBB 1.8.38 to resolve the issue. As a temporary workaround, consider restricting access to the backup management module in the Admin CP until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** MyBB versions prior to 1.8.38 **Description** The default list of disallowed remote hosts in MyBB does not contain the `127.0.0.0/8` block, which may result in a Server-Side Request Forgery (SSRF) issue. The Configuration File's Disallowed Remote Addresses list (`$config['disallowed remote addresses']`) contains the address `127.0.0.1`, but does not include the complete block `127.0.0.0/8`. Administrators of installed boards should update the existing configuration (`inc/config.php`) to include all addresses blocked by default. Users are advised to verify that it includes any other IPv4 addresses resolving to the server and other internal resources. **Recommendations** For MyBB versions prior to 1.8.38, update to MyBB 1.8.38 to resolve the issue. As a temporary workaround, consider manually adding `127.0.0.0/8` to the disallowed address list in the configuration file (`inc/config.php`) until a patch is available. Restrict access to internal resources and verify that the configuration includes any other IPv4 addresses resolving to the server to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpBB versions up to 3.3.10 **Description** A problematic issue has been found in phpBB, affecting the function main of the file phpBB/includes/acp/acp icons.php of the component Smiley Pack Handler. The manipulation of the argument `pak` leads to cross-site scripting. The attack may be initiated remotely. Upgrading to version 3.3.11 is able to address this issue. **Recommendations** For phpBB versions up to 3.3.10, upgrade to version 3.3.11 to address the issue. As a temporary workaround, consider restricting access to the vulnerable component Smiley Pack Handler until the upgrade is applied. Avoid using the argument `pak` in the affected function main until the issue is resolved.