Simon Uvarov

**Name of the Vulnerable Software and Affected Versions** IBM SPSS Analytic Server version 3.1.1.1 **Description** The issue allows users to embed arbitrary JavaScript code in the Web UI, potentially altering the intended functionality and leading to credentials disclosure within a trusted session. **Recommendations** For IBM SPSS Analytic Server version 3.1.1.1, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** OCS Inventory NG (affected versions not specified) **Description** The issue allows a privileged user to gain access to the server via crafted HTTP requests, exploiting an unrestricted file upload vulnerability with remote code execution in the ocsreports component. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Agentejo Cockpit (affected versions not specified) **Description** The issue involves multiple Cross-Site Scripting vulnerabilities. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Agentejo Cockpit (affected versions not specified) **Description** The issue is related to the lack of an anti-CSRF protection mechanism. This allows an attacker to modify sensitive information such as API tokens and passwords. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Agentejo Cockpit (affected versions not specified) **Description** The issue allows an attacker to traverse the file system to unintended locations and/or access arbitrary files due to a lack of appropriate validation when performing actions on files. This is related to a directory traversal issue in the `/media/api` endpoint. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** tecrail Responsive FileManager versions prior to 9.13.4 **Description** The issue allows an attacker to traverse directories by manipulating the pathname constructed from external input in the `/filemanager/ajax calls.php` file. This is due to the failure to properly neutralize sequences such as `..` that can resolve to a location outside the intended directory. **Recommendations** For versions prior to 9.13.4, update to version 9.13.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/filemanager/ajax calls.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** tecrail Responsive FileManager versions prior to 9.13.4 **Description** The issue concerns a directory traversal problem. It arises from the improper validation of file paths in archives by the `/filemanager/ajax calls.php` endpoint. This allows attackers to craft archives that, when extracted, can overwrite arbitrary files on the system via an extract action. **Recommendations** For versions prior to 9.13.4, update to version 9.13.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/filemanager/ajax calls.php` endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OCS Inventory Server versions prior to 2.5 **Description** The issue allows a privileged user to gain access to the server via a template file containing PHP code. This is due to unrestricted file upload in the require/mail/NotificationMail.php file in Webconsole, where file extensions other than .html are permitted. **Recommendations** For versions prior to 2.5, restrict file uploads to only allow .html extensions to prevent remote code execution. As a temporary workaround, consider disabling the file upload feature in the Webconsole until a patch is available.