Sony

Name of the Vulnerable Software and Affected Versions: Jamroom versions prior to 4.2.7 Description: A Cross Site Scripting (XSS) issue exists via the Status Update field. This allows for malicious script execution. Recommendations: For versions prior to 4.2.7, update to version 4.2.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WebSVN versions prior to 2.3.1 **Description** A cross-site scripting (XSS) issue exists in the getLog function in svnlook.php, allowing remote attackers to inject arbitrary web script or HTML via the `path` parameter to API endpoints such as "comp.php", "diff.php", or "revision.php". **Recommendations** For versions prior to 2.3.1, update to version 2.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints "comp.php", "diff.php", and "revision.php" until the update is applied. Avoid using the `path` parameter in these endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Otterware StatIt version 4 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via specific parameters in the statistik.php file. The vulnerable parameters include the `action` parameter, the `show` parameter in a `stat tld` action, and the `order` parameter in a `stat abfragen` action. **Recommendations** For Otterware StatIt version 4, as a temporary workaround, consider restricting access to the statistik.php file until a patch is available. Avoid using the `action`, `show`, and `order` parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TikiWiki CMS/Groupware version 8.3 **Description** The issue allows remote attackers to load arbitrary web site pages into frames, which can be used to conduct phishing attacks. This is achieved via the `url` parameter in the tiki-featured link.php file. **Recommendations** For TikiWiki CMS/Groupware version 8.3, consider restricting access to the tiki-featured link.php file or disabling the use of the `url` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ViewGit versions 0.0.6 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `f` parameter. This can lead to the execution of malicious code on the victim's browser. **Recommendations** For ViewGit versions 0.0.6 and earlier, avoid using the `f` parameter in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FuseTalk Forums versions 3.2 and earlier **Description** The issue is related to a cross-site scripting (XSS) vulnerability. It allows remote attackers to inject arbitrary web script or HTML via the `windowed` parameter in the "login.cfm" file. **Recommendations** For FuseTalk Forums versions 3.2 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** xClick Cart versions 1.0.1 through 1.0.2 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `shopping url` parameter in the webscr.php file. **Recommendations** For versions 1.0.1 and 1.0.2, avoid using the `shopping url` parameter in the affected API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the webscr.php file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** UBB.threads versions 7.5.6 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `Loginname` parameter in the forums/ubbthreads.php file. **Recommendations** For versions 7.5.6 and earlier, avoid using the `Loginname` parameter in the affected API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the forums/ubbthreads.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Kayako Fusion versions prior to 4.40.985 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via certain vectors, possibly a crafted ticket description in the Tickets/Submit functionality. **Recommendations** For versions prior to 4.40.985, update to version 4.40.985 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** WonderDesk SQL version 4.14 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via specific parameters. The parameters `cus email`, `help name`, `help email`, `help website`, and `help example url` are vulnerable in certain actions. **Recommendations** For WonderDesk SQL version 4.14, consider restricting access to the `wonderdesk.cgi` script until a patch is available. As a temporary workaround, avoid using the parameters `cus email`, `help name`, `help email`, `help website`, and `help example url` in the affected actions.

**Name of the Vulnerable Software and Affected Versions** Zimbra Collaboration Suite (ZCS) versions 6.x through 6.0.14 Zimbra Collaboration Suite (ZCS) versions 7.x through 7.1.2 **Description** A cross-site scripting (XSS) issue exists in the Zimbra Web Client, specifically in the zimbra/h/calendar component. This allows remote attackers to inject arbitrary web script or HTML via the `view` parameter. **Recommendations** For Zimbra Collaboration Suite (ZCS) versions 6.x through 6.0.14, update to version 6.0.15 or later. For Zimbra Collaboration Suite (ZCS) versions 7.x through 7.1.2, update to version 7.1.3 or later.

**Name of the Vulnerable Software and Affected Versions** Semantic Enterprise Wiki (SMW+) versions 1.5.6, 1.6.0 2 and earlier **Description** The issue is related to a cross-site scripting (XSS) vulnerability in the smwfOnSfSetTargetName function. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `target` parameter to the "index.php/Special:FormEdit" endpoint. **Recommendations** For versions 1.5.6, 1.6.0 2 and earlier, consider disabling the smwfOnSfSetTargetName function until a patch is available. Restrict access to the "index.php/Special:FormEdit" endpoint to minimize the risk of exploitation. Avoid using the `target` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Foswiki versions prior to 1.1.5 **Description** The issue allows remote authenticated users with CHANGE privileges to inject arbitrary web script or HTML via various parameters, including `text`, `FirstName`, `LastName`, `OrganisationName`, `OrganisationUrl`, `Profession`, `Country`, `State`, `Address`, `Location`, `Telephone`, `VoIP`, `InstantMessagingIM`, `Email`, `HomePage`, or `Comment`. **Recommendations** For versions prior to 1.1.5, update to version 1.1.5 or later to resolve the issue. As a temporary workaround, consider restricting the CHANGE privileges to minimize the risk of exploitation. Avoid using the vulnerable parameters in the affected UI/Register.pm module until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** XWiki Enterprise version 3.4 **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `XWiki.XWikiComments comment` parameter to "xwiki/bin/commentadd/Main/WebHome", the `XWiki.XWikiUsers 0 company` parameter when editing a user profile, or the `projectVersion` parameter to "xwiki/bin/view/DownloadCode/DownloadFeedback". **Recommendations** For XWiki Enterprise version 3.4, consider disabling the comment addition feature and restrict user profile editing until a patch is available. Avoid using the `XWiki.XWikiComments comment` and `XWiki.XWikiUsers 0 company` parameters in the affected API endpoints, and restrict access to the "xwiki/bin/view/DownloadCode/DownloadFeedback" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TWiki (affected versions not specified) **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the organization field in a profile. This can occur during (1) registration or (2) editing of the user. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.