Solov9Ev

**Name of the Vulnerable Software and Affected Versions** Concrete CMS (previously concrete5) versions 8.5.12 and below Concrete CMS (previously concrete5) versions 9.0.0 through 9.0.2 **Description** The issue is related to Stored XSS in uploaded file and folder names. **Recommendations** For Concrete CMS (previously concrete5) versions 8.5.12 and below, update to version 9.1 or later. For Concrete CMS (previously concrete5) versions 9.0.0 through 9.0.2, update to version 9.1 or later.

**Name of the Vulnerable Software and Affected Versions** revive-adserver versions prior to 5.3.0 **Description** The issue is related to the generation of session IDs, which is based on the cryptographically insecure `uniqid()` PHP function. This could potentially allow an attacker to brute force session IDs and take over a specific account under certain circumstances. **Recommendations** For versions prior to 5.3.0, update to version 5.3.0 or later to resolve the issue. As a temporary workaround, consider implementing additional security measures to protect against brute force attacks on session IDs.

**Name of the Vulnerable Software and Affected Versions** Revive Adserver versions prior to 5.2.0 **Description** The issue allows an attacker to execute injected JavaScript code by tricking a user into clicking on a specifically crafted URL. This is due to a reflected XSS vulnerability in the `status` parameter of the "campaign-zone-zones.php" endpoint. **Recommendations** For versions prior to 5.2.0, update to version 5.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "campaign-zone-zones.php" endpoint to minimize the risk of exploitation. Avoid using the `status` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Revive Adserver versions prior to 5.2.0 **Description** The issue is related to a reflected XSS vulnerability due to single quotes not being escaped in the `statsBreakdown` parameter of stats.php, and possibly other scripts. An attacker could trick a user into clicking on a specifically crafted URL and pressing a certain key combination to execute injected JavaScript code. **Recommendations** For versions prior to 5.2.0, update to version 5.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the stats.php script and avoiding the use of the `statsBreakdown` parameter until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Revive Adserver versions prior to 5.1.1 **Description** The issue is related to a reflected XSS vulnerability. It affects the userlog-index.php file via the `period preset` parameter. **Recommendations** For versions prior to 5.1.1, update to version 5.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the userlog-index.php file or avoiding the use of the `period preset` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Revive Adserver versions prior to 5.1.1 **Description** The issue is related to a reflected XSS vulnerability. It affects the stats.php file via the `setPerPage` parameter. **Recommendations** For versions prior to 5.1.1, update to version 5.1.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the stats.php file or avoiding the use of the `setPerPage` parameter until the update is applied.