Taihei Shimamine

**Name of the Vulnerable Software and Affected Versions** Splunk Enterprise versions prior to 9.4.1 Splunk Enterprise versions prior to 9.3.3 Splunk Enterprise versions prior to 9.2.5 Splunk Enterprise versions prior to 9.1.8 Splunk Cloud Platform versions prior to 9.3.2408.107 Splunk Cloud Platform versions prior to 9.2.2406.112 Splunk Cloud Platform versions prior to 9.2.2403.115 Splunk Cloud Platform versions prior to 9.1.2312.208 Splunk Cloud Platform versions prior to 9.1.2308.214 **Description** A low-privileged user without the "admin" or "power" Splunk roles could bypass the external content warning modal dialog box in Dashboard Studio dashboards, potentially leading to information disclosure. **Recommendations** For Splunk Enterprise versions prior to 9.4.1, update to version 9.4.1 or later. For Splunk Enterprise versions prior to 9.3.3, update to version 9.3.3 or later. For Splunk Enterprise versions prior to 9.2.5, update to version 9.2.5 or later. For Splunk Enterprise versions prior to 9.1.8, update to version 9.1.8 or later. For Splunk Cloud Platform versions prior to 9.3.2408.107, update to version 9.3.2408.107 or later. For Splunk Cloud Platform versions prior to 9.2.2406.112, update to version 9.2.2406.112 or later. For Splunk Cloud Platform versions prior to 9.2.2403.115, update to version 9.2.2403.115 or later. For Splunk Cloud Platform versions prior to 9.1.2312.208, update to version 9.1.2312.208 or later. For Splunk Cloud Platform versions prior to 9.1.2308.214, update to version 9.1.2308.214 or later.

**Name of the Vulnerable Software and Affected Versions** Splunk Config Explorer versions prior to 1.7.16 **Description** The issue exists due to inadequate protection of the web page structure in Splunk Config Explorer, allowing for a cross-site scripting (XSS) attack. If exploited, this could lead to the execution of an arbitrary script on the user's web browser. **Recommendations** For versions prior to 1.7.16, update to version 1.7.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the Splunk Config Explorer web interface until the update is applied.

**Name of the Vulnerable Software and Affected Versions** SonicDICOM Media Viewer versions 2.3.2 and earlier **Description** An uncontrolled search path element issue exists, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with the privileges of the running application. **Recommendations** For SonicDICOM Media Viewer versions 2.3.2 and earlier, consider disabling the loading of Dynamic Link Libraries until a patch is available. Restrict access to sensitive areas of the application to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Rename Media Files versions n/a through 1.0.1 **Description** The issue is related to an Improper Control of Generation of Code ('Code Injection') vulnerability. This vulnerability affects the Rename Media Files software. **Recommendations** For versions n/a through 1.0.1, update to a version later than 1.0.1 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Criss Swaim TPG Redirect plugin versions 1.0.7 and earlier **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions 1.0.7 and earlier, update to a version later than 1.0.7 to resolve the issue. As a temporary workaround, consider implementing CSRF token validation to prevent unauthorized requests. Restrict access to sensitive functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TotalPress.Org Custom post types, Custom Fields & more plugin versions 4.0.12 and earlier **Description** The issue is related to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. This means that an attacker with admin+ privileges can inject malicious scripts into the application, which can then be executed by other users. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited. **Recommendations** For versions 4.0.12 and earlier, update to a version later than 4.0.12 to resolve the issue. As a temporary workaround, consider restricting access to the Custom post types, Custom Fields & more plugin to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Supsystic Contact Form by Supsystic plugin versions <= 1.7.27 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions <= 1.7.27, update to a version higher than 1.7.27 to resolve the issue. As a temporary workaround, consider restricting access to sensitive functions of the Supsystic Contact Form plugin until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Arul Prasad J Publish Confirm Message plugin versions prior to 1.3.1 **Description** The issue is related to a Cross-Site Request Forgery (CSRF) vulnerability. This type of vulnerability allows an attacker to trick a user into performing unintended actions on a web application that the user is authenticated to. **Recommendations** For versions prior to 1.3.1, update to version 1.3.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** hwk-fr WP 404 Auto Redirect to Similar Post plugin versions 1.0.3 and earlier **Description** The issue is related to an Authenticated Stored Cross-Site Scripting (XSS) vulnerability. This means that an attacker with admin access can inject malicious scripts into the website, potentially affecting users who visit the site. **Recommendations** For versions 1.0.3 and earlier, update to a version later than 1.0.3 to resolve the issue. As a temporary workaround, consider restricting access to the plugin's settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Supersoju Block Referer Spam plugin versions 1.1.9.4 and earlier **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin+ privileges. This vulnerability affects the Supersoju Block Referer Spam plugin. **Recommendations** For Supersoju Block Referer Spam plugin versions 1.1.9.4 and earlier, update to a version later than 1.1.9.4 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bill Minozzi Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin versions prior to 7.32 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that affects the Bill Minozzi Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection plugin. This vulnerability requires authentication with admin+ privileges. **Recommendations** For versions prior to 7.32, update to version 7.32 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Easy Form team Easy Form by AYS plugin versions 1.2.0 and earlier **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin+ privileges. **Recommendations** For versions 1.2.0 and earlier, update to a version later than 1.2.0 to resolve the issue. At the moment, there is no information about other specific mitigation measures for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Matt Gibbs Custom Field Suite plugin versions <= 2.6.2.1 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) vulnerability that requires authentication with admin+ privileges. **Recommendations** For Matt Gibbs Custom Field Suite plugin versions <= 2.6.2.1, update to a version higher than 2.6.2.1 to resolve the issue.