Tiger_Tigerboy

Name of the Vulnerable Software and Affected Versions: trixbox version 2.8.0.4 Description: The issue is related to a security problem where an attacker can execute malicious scripts in the browser of other users, potentially leading to unauthorized actions. This is achieved by manipulating the PATH INFO to specific API endpoints, such as "/maint/index.php" or "/user/includes/language/langChooser.php". Recommendations: For trixbox version 2.8.0.4, as a temporary workaround, consider restricting access to the `/maint/index.php` and `/user/includes/language/langChooser.php` endpoints until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: trixbox version 2.8.0.4 Description: The issue concerns path traversal via the `xajaxargs` array parameter to "/maint/index.php?packages" or the `lang` parameter to "/maint/modules/home/index.php". Recommendations: For trixbox version 2.8.0.4, consider restricting access to the `/maint/index.php?packages` and `/maint/modules/home/index.php` API endpoints until a patch is available. As a temporary workaround, avoid using the `xajaxargs` array parameter and the `lang` parameter in the affected API endpoints.

**Name of the Vulnerable Software and Affected Versions** USB Pratirodh (affected versions not specified) **Description** The issue allows remote attackers to conduct XML External Entity (XXE) attacks by manipulating XML data in the `usb.xml` file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** USB Pratirodh (affected versions not specified) **Description** The issue concerns the disclosure of sensitive information. Specifically, it stores sensitive data such as `username` and `password` in a simple usb.xml file. An attacker with physical access to the system can modify this file to suit their needs, potentially aiding in further attacks. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Skype version 7.16.0.102 **Description** The issue exists due to the way .dll files are loaded by Skype, allowing an unauthenticated, remote attacker to execute arbitrary code on the targeted system. The specific flaw is within the handling of DLL loading by the Skype.exe process, particularly with the api-ms-win-core-winrt-string-l1-1-0.dll. An attacker can exploit this by loading a specially crafted .dll file, potentially executing arbitrary code without the user's knowledge. **Recommendations** For Microsoft Skype version 7.16.0.102, consider restricting the loading of external libraries to prevent exploitation until a patch is available. As a temporary workaround, avoid using the Skype.exe process to load .dll files from untrusted sources, especially the api-ms-win-core-winrt-string-l1-1-0.dll, to minimize the risk of arbitrary code execution.

**Name of the Vulnerable Software and Affected Versions** IBM Tivoli Storage Manager FastBack (affected versions not specified) **Description** The issue allows a remote attacker to execute arbitrary code on the system. This can be achieved by placing a specially-crafted DLL in the victim's path. When the installer is executed, the attacker could exploit this to run arbitrary code on the system with the victim's privileges. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Exponent CMS versions prior to 2.3.5 **Description** A cross-site scripting (XSS) issue exists in the Reset Your Password module, allowing remote attackers to inject arbitrary web script or HTML via the `Username/Email` field. **Recommendations** For versions prior to 2.3.5, update to version 2.3.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Exponent CMS versions prior to 2.3.7 **Description** The issue allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly have other unspecified impact by uploading files with certain extensions, such as .html, and then accessing them via the elFinder functionality. **Recommendations** For versions prior to 2.3.7, update to version 2.3.7 or later to resolve the issue. As a temporary workaround, consider restricting file uploads to only necessary file types and disabling access to the elFinder functionality until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Symphony CMS version 2.6.3 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The vulnerable parameters include the `Name`, `Navigation Group`, and `Label` parameters to the "blueprints/sections/edit/1" endpoint. **Recommendations** For Symphony CMS version 2.6.3, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting input for the `Name`, `Navigation Group`, and `Label` parameters to prevent arbitrary web script or HTML injection until a patch is available.