Tin Pham

**Name of the Vulnerable Software and Affected Versions** Avada Builder (fusion-builder) versions prior to 3.15.3 **Description** Unauthenticated remote code execution is possible via PHP Function Injection. The issue occurs because the `wp conditional tags` case in the `Fusion Builder Conditional Render Helper::get value()` function passes attacker-controlled values from a base64-decoded JSON blob directly to `call user func()` without allowlist validation. This can be exploited through the 'fusion get widget markup' AJAX endpoint, which is registered for unauthenticated users via `wp ajax nopriv fusion get widget markup`. Although the endpoint is protected by a nonce `fusion load nonce`, this value is generated for user ID 0 and is deterministically exposed in the JavaScript output of any public page containing a Post Cards (`[fusion post cards]`) or Table of Contents (`[fusion table of contents]`) element. **Recommendations** Update the plugin to a version later than 3.15.2. As a temporary workaround, restrict access to the 'fusion get widget markup' AJAX endpoint or remove Post Cards and Table of Contents elements from public-facing pages to prevent the exposure of the `fusion load nonce`.

**Name of the Vulnerable Software and Affected Versions** CraftCMS version 3.8.1 **Description** The issue allows a remote attacker to execute arbitrary code via a crafted script to the `Section` parameter. This enables the attacker to potentially gain control over the system, allowing for unauthorized actions. **Recommendations** For CraftCMS version 3.8.1, consider disabling access to the `Section` parameter until a patch is available. As a temporary workaround, restrict the ability to execute scripts via this parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SmartVista SVFE2 version 2.2.22 **Description** The issue is a SQL injection vulnerability. It can be exploited via the `UserForm:j id90` parameter at the "/feegroups/tgrt group.jsf" API endpoint. **Recommendations** For SmartVista SVFE2 version 2.2.22, consider restricting access to the `/feegroups/tgrt group.jsf` API endpoint to minimize the risk of exploitation. Avoid using the `UserForm:j id90` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SmartVista SVFE2 version 2.2.22 **Description** The issue concerns multiple SQL injection vulnerabilities. These vulnerabilities can be exploited via the `UserForm:j id88`, `UserForm:j id90`, and `UserForm:j id92` parameters at the "/SVFE2/pages/feegroups/service group.jsf" API endpoint. **Recommendations** For SmartVista SVFE2 version 2.2.22, consider restricting access to the vulnerable parameters `UserForm:j id88`, `UserForm:j id90`, and `UserForm:j id92` in the "/SVFE2/pages/feegroups/service group.jsf" API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SmartVista Cardgen version 3.28.0 **Description** A Path Traversal issue allows authenticated attackers to read arbitrary files in the system. **Recommendations** For SmartVista Cardgen version 3.28.0, consider restricting access to sensitive files and directories as a temporary workaround until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** SmartVista Cardgen version 3.28.0 **Description** The issue affects the IGB Files and OutfileService features, allowing attackers to list and download arbitrary files by modifying the `PATH` parameter. **Recommendations** For SmartVista Cardgen version 3.28.0, consider restricting access to the IGB Files and OutfileService features until a patch is available. As a temporary workaround, avoid using the `PATH` parameter in the affected features to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BPC SmartVista version 3.28.0 **Description** The issue concerns reflected XSS vulnerabilities in error message handling, allowing an attacker to execute JavaScript code on the client side. Additionally, there is a vulnerability in the SmartVista CardGen personalization module due to inadequate protection of the web page structure, which can be exploited for cross-site scripting (XSS) attacks. **Recommendations** For BPC SmartVista version 3.28.0, consider disabling the error message handling feature until a patch is available to prevent exploitation of the reflected XSS vulnerability. Restrict access to the SmartVista CardGen personalization module to minimize the risk of XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** nopCommerce version 4.50.1 **Description** The issue allows an open redirect to be triggered by luring a user into authenticating to a nopCommerce page via a crafted link. This can potentially lead to phishing attacks or other malicious activities. **Recommendations** For nopCommerce version 4.50.1, update to a newer version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cyclos 4 PRO versions 4.14.7 and earlier **Description** A Dom-based Cross-site scripting (XSS) issue exists at the registration account in Cyclos, allowing remote attackers to inject arbitrary web script or HTML via the `groupId` parameter. This enables attackers to execute malicious scripts on the client-side. **Recommendations** For Cyclos 4 PRO versions 4.14.7 and earlier, as a temporary workaround, consider restricting access to the registration account feature until a patch is available. Avoid using the `groupId` parameter in the affected registration account endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Cyclos 4 PRO versions 4.14.7 and before **Description** The issue allows a remote unauthenticated attacker to execute javascript code via an undefined enum constant due to a lack of user input validation at error inform. **Recommendations** For Cyclos 4 PRO versions 4.14.7 and before, as a temporary workaround, consider disabling the error inform feature until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.