Siegfried

**Name of the Vulnerable Software and Affected Versions** Axis 207W network camera (affected versions not specified) **Description** A reflected XSS issue in the web administration portal of the Axis 207W network camera allows an attacker to execute arbitrary JavaScript via URL. This enables the attacker to potentially steal user sessions, hijack user accounts, or perform other malicious actions. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SPIP versions 1.8.2-e and earlier SPIP versions 1.9 Alpha 2 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via the `id forum`, `id article`, or `id breve` parameters to "forum.php3", unspecified vectors related to session handling, and when posting petitions. **Recommendations** For SPIP versions 1.8.2-e and earlier, avoid using the `id forum`, `id article`, and `id breve` parameters in the "forum.php3" endpoint until the issue is resolved. For SPIP versions 1.9 Alpha 2 and earlier, consider restricting access to session handling and petition posting functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpAdsNew versions 2.0.6 and earlier phpPgAds versions 2.0.6 and earlier **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `sessionID` parameter in specific API endpoints, such as "logout.php" and "index.php". **Recommendations** For phpAdsNew versions 2.0.6 and earlier, avoid using the `sessionID` parameter in the affected API endpoints until the issue is resolved. For phpPgAds versions 2.0.6 and earlier, restrict access to the "logout.php" and "index.php" endpoints to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Claroline versions 1.5.3 through 1.6 Release Candidate 1 Description: The issue allows remote attackers to inject arbitrary web script or HTML via several API endpoints, including "exercise result.php", "exercice submit.php", "agenda.php", "learningPathList.php", "learningPathAdmin.php", "learningPath.php", "userLog.php", the `tool` parameter to "toolaccess details.php", the `data` parameter to "user access details.php", or the `coursePath` parameter to "myagenda.php". Recommendations: For Claroline versions 1.5.3 through 1.6 Release Candidate 1, consider disabling access to the vulnerable API endpoints until a patch is available. Restrict input for the `tool` parameter to "toolaccess details.php", the `data` parameter to "user access details.php", and the `coursePath` parameter to "myagenda.php" to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Claroline versions 1.5.3 through 1.6 Release Candidate 1 Description: The issue allows remote attackers to execute arbitrary PHP code. The estimated number of potentially affected devices and details about real-world incidents are not specified. Recommendations: For Claroline versions 1.5.3 through 1.6 Release Candidate 1, at the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Claroline versions 1.5.3 through 1.6 Release Candidate 1 Description: The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several endpoints and parameters, including "learningPath.php", "learningPathAdmin.php", "learnPath details.php", "modules pool.php", "module.php", the `uInfo` parameter in "userInfo.php", or the `exo id` parameter to "exercises details.php". Recommendations: For Claroline versions 1.5.3 through 1.6 Release Candidate 1, consider restricting access to the mentioned endpoints and parameters until a patch is available. As a temporary workaround, avoid using the `uInfo` parameter in "userInfo.php" and the `exo id` parameter in "exercises details.php" to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Claroline versions 1.5.3 through 1.6 Release Candidate 1 Description: The issue concerns directory traversal vulnerabilities in certain PHP files, specifically `document.php` and `insertMyDoc.php`, which could allow remote project administrators to upload arbitrary files. Recommendations: For Claroline versions 1.5.3 through 1.6 Release Candidate 1, consider restricting access to the `document.php` and `insertMyDoc.php` files until a patch is available. As a temporary workaround, limit the ability of remote project administrators to upload files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.