Snappyjack

**Name of the Vulnerable Software and Affected Versions** XZ version 5.2.5 **Description** An issue in XZ allows attackers to cause a denial of service via decompression of a crafted file. The vendor disputes the claims of "endless output" and "denial of service" because decompression of a 17,486 bytes file always results in 114,881,179 bytes, which is often a reasonable size increase. **Recommendations** For XZ version 5.2.5, update to version 5.2.9 to fix the security issue.

**Name of the Vulnerable Software and Affected Versions** PDFResurrect version 0.15 **Description** The issue arises from a buffer overflow that occurs when PDFResurrect mishandles data associated with `startxref` and `%%EOF` in a crafted PDF file. **Recommendations** For PDFResurrect version 0.15, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PESCMS Team version 2.2.1 **Description** The issue allows attackers to upload and execute arbitrary PHP code. This can be achieved by uploading a ZIP archive containing a .php file through the "/Public/?g=Team&m=Setting&a=upgrade" API endpoint. **Recommendations** For PESCMS Team version 2.2.1, consider disabling the upgrade functionality in the Team module as a temporary workaround until a patch is available. Restrict access to the "/Public/?g=Team&m=Setting&a=upgrade" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PESCMS Team version 2.2.1 **Description** The issue concerns multiple reflected XSS instances. These occur via the `keyword` parameter in several API endpoints: "g=Team&m=User&a=index&keyword=", "g=Team&m=User group&a=index&keyword=", "g=Team&m=Department&a=index&keyword=", and "g=Team&m=Bulletin&a=index&keyword=". **Recommendations** For PESCMS Team version 2.2.1, as a temporary workaround, consider restricting access to the `keyword` parameter in the affected API endpoints until a patch is available. Avoid using the `keyword` parameter in these endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Frog CMS version 0.9.5 **Description** The issue allows creation of files via the "/admin/?/plugin/file manager/save" API endpoint. **Recommendations** For Frog CMS version 0.9.5, consider disabling the file manager plugin until a patch is available. Restrict access to the "/admin/?/plugin/file manager/save" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Frog CMS version 0.9.5 **Description** The issue is related to stored XSS. It can be exploited via the "/admin/?/plugin/comment/settings" API endpoint. **Recommendations** For Frog CMS version 0.9.5, update to a version that contains a fix for this issue.