Simone Cecchini

**Name of the Vulnerable Software and Affected Versions** Liferay Portal versions 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via specific parameters in the group/control panel/manage section. The vulnerable parameters are `firstName`, `lastName`, and `middleName`. **Recommendations** For Liferay Portal version 6.1.2 CE GA3, avoid using the parameters ` 2 firstName`, ` 2 lastName`, or ` 2 middleName` in the group/control panel/manage section until a fix is available. For Liferay Portal version 6.1.X EE, restrict access to the group/control panel/manage section to minimize the risk of exploitation. For Liferay Portal version 6.2.X EE, consider disabling the group/control panel/manage functionality until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Wave EMBASSY Remote Administration Server (ERAS) (affected versions not specified) **Description** A SQL injection issue in the Help Desk application of Wave EMBASSY Remote Administration Server (ERAS) allows remote attackers to execute arbitrary SQL commands via the `ct100$4MainController$TextBoxSearchValue` parameter, also known as the search field. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Wave EMBASSY Remote Administration Server (ERAS) (affected versions not specified) **Description** The issue allows remote authenticated users to execute arbitrary SQL commands via the `ct100$4MainController$TextBoxSearchValue` parameter, which is the search field in the Help Desk application. This can lead to the execution of operating-system commands. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.