Steffen Rösemann

**Name of the Vulnerable Software and Affected Versions** phpBugTracker versions prior to 1.7.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This can be achieved via several parameters, including the `id` parameter to "project.php", the `group id` parameter to "group.php", the `status id` parameter to "status.php", the `resolution id` parameter to "resolution.php", the `severity id` parameter to "severity.php", the `priority id` parameter to "priority.php", the `os id` parameter to "os.php", or the `site id` parameter to "site.php". **Recommendations** For phpBugTracker versions prior to 1.7.0, update to version 1.7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints, such as "project.php", "group.php", "status.php", "resolution.php", "severity.php", "priority.php", "os.php", and "site.php", until a patch is applied. Avoid using the parameters `id`, `group id`, `status id`, `resolution id`, `severity id`, `priority id`, `os id`, and `site id` in the respective affected endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** phpBugTracker versions prior to 1.7.0 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via several parameters, including the `project name` parameter to "project.php", the `use js` parameter to "user.php" and "group.php", the `Description` parameter to "status.php" and "severity.php", the `Regex` parameter to "os.php", and the `Name` parameter to "database.php". **Recommendations** For versions prior to 1.7.0, update to version 1.7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected parameters, such as `project name`, `use js`, `Description`, `Regex`, and `Name`, in their respective PHP files until the update is applied.

**Name of the Vulnerable Software and Affected Versions** phpBugTracker versions prior to 1.7.0 **Description** The issue allows remote authenticated users to hijack the authentication of other users for various requests, including deleting data and causing unspecified impacts. This is achieved through multiple cross-site request forgery (CSRF) vulnerabilities. The affected API endpoints include "project.php" with the `id` parameter, "group.php" with the `group id` parameter, "status.php" with the `status id` parameter, "severity.php" with the `severity id` parameter, "priority.php" with the `priority id` parameter, "os.php" with the `os id` parameter, "database.php" with the `database id` parameter, and "sites.php" with the `site id` parameter. **Recommendations** For versions prior to 1.7.0, update to version 1.7.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints, such as "project.php", "group.php", "status.php", "severity.php", "priority.php", "os.php", "database.php", and "sites.php", to minimize the risk of exploitation. Additionally, avoid using the parameters `id`, `group id`, `status id`, `severity id`, `priority id`, `os id`, `database id`, and `site id` in the respective API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** pfSense versions prior to 2.2.3 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via various parameters to different PHP files. The affected parameters include `srctrack`, `use mfs tmp size`, `use mfs var size`, `port`, `snaplen`, `count`, `pppoe resethour`, `pppoe resetminute`, `wpa group rekey`, `wpa gmk rekey`, `member[]`, `pkgrepourl`, `zone`, `cache max ttl`, `cache min ttl`, `sshport`, `id`, `tunable`, `descr`, `value`, `firmwareurl`, `repositoryurl`, `branch`, `pfsyncpeerip`, `synchronizetoip`, `username`, `passwordfld`, `maxmss`, `ntp server1`, `ntp server2`, `wins server1`, and `wins server2`. The API endpoints affected include "system advanced misc.php", "diag packet capture.php", "interfaces.php", "interfaces ppps edit.php", "interfaces qinq edit.php", "load balancer pool edit.php", "pkg mgr settings.php", "services captiveportal.php", "services dnsmasq.php", "services unbound.php", "services unbound advanced.php", "system advanced admin.php", "system advanced sysctl.php", "system firmware settings.php", "system hasync.php", "vpn ipsec settings.php", and "vpn openvpn csc.php". **Recommendations** For pfSense versions prior to 2.2.3, update to version 2.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints and parameters until a patch is available. Avoid using the specified parameters in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ZeusCart versions 4.0 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `search` parameter in a search action to "index.php". **Recommendations** For ZeusCart versions 4.0 and earlier, update to a version later than 4.0 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** ZeusCart version 4 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via specific parameters in actions to index.php. This can be achieved through the `schtlr` parameter in a brands action or the `brand` parameter in a viewbrands action. **Recommendations** For ZeusCart version 4, consider restricting access to the `schtlr` parameter in the brands action and the `brand` parameter in the viewbrands action to minimize the risk of exploitation. Avoid using these parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZeusCart version 4 **Description** The issue allows remote attackers to obtain configuration information. This is achieved by accessing the admin/ endpoint with a getphpinfo action, which invokes the phpinfo function. **Recommendations** For ZeusCart version 4, consider restricting access to the admin/ endpoint to prevent unauthorized retrieval of configuration information. As a temporary workaround, consider disabling the getphpinfo action until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ZeusCart version 4 **Description** The issue concerns SQL injection vulnerabilities in the administrative backend. These vulnerabilities allow remote administrators to execute arbitrary SQL commands. This can be achieved through the `id` parameter in either a `disporders` detail or `subadminmgt` edit action, or the `cid` parameter in an `editcurrency` action to `admin/`. **Recommendations** For ZeusCart version 4, avoid using the `id` parameter in `disporders` detail or `subadminmgt` edit actions and the `cid` parameter in `editcurrency` actions to `admin/` until a fix is available. As a temporary workaround, consider restricting access to these parameters to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Adminsystems CMS versions prior to 4.0.2 **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the `page` parameter to "index.php" or the `id` parameter in a "users users" action to "asys/site/system.php". **Recommendations** For versions prior to 4.0.2, update to version 4.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the "index.php" and "asys/site/system.php" endpoints until the update is applied. Avoid using the `page` and `id` parameters in the affected endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Adminsystems CMS versions prior to 4.0.2 **Description** The issue allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension to the `asys/site/files.php` endpoint, and then accessing it via a direct request to the file in `upload/files/`. **Recommendations** For versions prior to 4.0.2, update to version 4.0.2 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Pragyan CMS version 3.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting a SQL injection vulnerability in the userprofile.lib.php file, specifically via the `user` parameter to the default URI. **Recommendations** For Pragyan CMS version 3.0, consider restricting access to the userprofile.lib.php file until a patch is available. As a temporary workaround, avoid using the `user` parameter in the default URI to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Epignosis eFront Open Source Edition versions prior to 3.6.15.3 build 18022 **Description** The issue allows remote attackers to hijack the authentication of administrators for various requests, including deleting, deactivating, or activating modules, users, themes, events, and language settings, as well as modifying the autologin feature. This is achieved through multiple cross-site request forgery (CSRF) vulnerabilities in the administrator.php file. The vulnerable parameters include `delete module`, `deactivate module`, `activate module`, `delete user`, `deactivate user`, `activate user`, `set theme`, `delete`, `deactivate notification`, `activate notification`, `delete notification`, `deactivate language`, `activate language`, `delete language`, and parameters related to the autologin feature. **Recommendations** For Epignosis eFront Open Source Edition versions prior to 3.6.15.3 build 18022, update to version 3.6.15.3 build 18022 or later to resolve the issue. As a temporary workaround, consider restricting access to the administrator.php file and its associated parameters to minimize the risk of exploitation. Avoid using the vulnerable parameters until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Saurus CMS version 4.7.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via the `search` parameter to "admin/user management.php", the `data search` parameter to "/admin/profile data.php", or the `filter` parameter to "error log.php". **Recommendations** For Saurus CMS version 4.7.0, as a temporary workaround, consider restricting access to the affected API endpoints, specifically "admin/user management.php", "/admin/profile data.php", and "error log.php", until a patch is available. Avoid using the `search`, `data search`, and `filter` parameters in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZeroCMS versions 1.3.3, 1.3.2, and earlier **Description** The issue allows remote authenticated users to execute arbitrary SQL commands. This is achieved via the `user id` parameter in a Modify Account action. **Recommendations** For ZeroCMS versions 1.3.3, 1.3.2, and earlier, consider restricting access to the Modify Account action until a fix is available. As a temporary workaround, avoid using the `user id` parameter in the affected administrative backend functionality until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ferretCMS version 1.0.4-alpha **Description** The issue allows remote administrators to execute arbitrary code by uploading a file with an executable extension to the custom/uploads/ directory, and then accessing it via a direct request. This is due to an unrestricted file upload vulnerability. **Recommendations** For ferretCMS version 1.0.4-alpha, restrict access to the custom/uploads/ directory to prevent direct execution of uploaded files, and consider implementing file type validation to prevent uploading files with executable extensions.

**Name of the Vulnerable Software and Affected Versions** ferretCMS version 1.0.4-alpha **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via specific parameters. The affected parameters include the `action` parameter in a search request, the `username` in a login request (which is not properly handled when logging the event), and the `page title` in an insert action. **Recommendations** For ferretCMS version 1.0.4-alpha, as a temporary workaround, consider restricting access to the admin.php file until a patch is available. Avoid using the `action` parameter in search requests, the `username` parameter in login requests, and the `page title` parameter in insert actions until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ferretCMS version 1.0.4-alpha **Description** The issue concerns multiple cross-site request forgery (CSRF) vulnerabilities in the admin.php file. These vulnerabilities allow remote attackers to hijack the authentication of administrators, potentially leading to cross-site scripting (XSS), SQL injection, or unrestricted file upload attacks. **Recommendations** For ferretCMS version 1.0.4-alpha, as a temporary workaround, consider disabling the admin.php file until a patch is available. Restrict access to the admin interface to minimize the risk of exploitation. Avoid using the admin.php file for sensitive operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ferretCMS version 1.0.4-alpha **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands. This is achieved by exploiting the `p` parameter in an update action to the "admin.php" endpoint. **Recommendations** For ferretCMS version 1.0.4-alpha, avoid using the `p` parameter in the update action to the "admin.php" endpoint until a fix is available. Consider restricting access to the "admin.php" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** WebsiteBaker version 2.8.3 SP3 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `page id` parameter in the "admin/pages/modify.php" endpoint. **Recommendations** For version 2.8.3 SP3, avoid using the `page id` parameter in the "admin/pages/modify.php" endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the "admin/pages/modify.php" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Croogo versions prior to 2.2.1 **Description** A cross-site scripting (XSS) issue exists in the administrative backend, allowing remote attackers to inject arbitrary web script or HTML via the `path` parameter to "admin/file manager/file manager/editfile". **Recommendations** For versions prior to 2.2.1, update to version 2.2.1 or later to resolve the issue.