Tomas Castro Rojas

**Name of the Vulnerable Software and Affected Versions** Dolibarr ERP CRM versions prior to 19.0.2 **Description** The issue is related to a remote code execution (RCE) vulnerability. It can be exploited via the `Computed field` parameter under the `Users Module Setup` function. **Recommendations** For versions prior to 19.0.2, update to version 19.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `Users Module Setup` function until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** Bonitasoft, S.A versions prior to 7.14.8 Bonitasoft, S.A versions prior to 7.15.7 Bonitasoft, S.A versions prior to 8.0.3 Bonitasoft, S.A versions prior to 9.0.2 **Description** The issue allows attackers to execute arbitrary code via a crafted payload to the `Groups Display name` field. This is a Cross Site Scripting vulnerability. **Recommendations** For versions prior to 7.14.8, update to version 7.14.8 or later. For versions prior to 7.15.7, update to version 7.15.7 or later. For versions prior to 8.0.3, update to version 8.0.3 or later. For versions prior to 9.0.2, update to version 9.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** Plone Docker Official Image version 5.2.13 (5221) **Description** An issue in the Plone Docker Official Image open-source software could allow for remote code execution due to a package listed in ++plone++static/components not existing in the public package index (npm). **Recommendations** For Plone Docker Official Image version 5.2.13 (5221), consider updating to a newer version that includes a fix for this issue, as the current version may allow for remote code execution due to a missing package in the public package index. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Plone Docker Official Image version 5.2.13 (5221) **Description** The issue allows for remote code execution via improper validation of input by the `HOST` headers. This can be exploited by an attacker to execute arbitrary code by injecting code into the `HOST` header. **Recommendations** For Plone Docker Official Image version 5.2.13 (5221), as a temporary workaround, consider restricting access to the `HOST` headers until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Plone Docker version 5.2.13 (5221) **Description** The issue is related to the absence of a mechanism to prevent unintended changes to resources when processing requests. This allows unauthenticated attackers to execute dangerous actions, such as uploading files to the server or deleting them, using the HTTP PUT and DELETE methods. **Recommendations** For Plone Docker version 5.2.13 (5221), consider disabling the HTTP PUT and DELETE methods to prevent exploitation until a patch is available. Restrict access to the server to minimize the risk of unauthorized file uploads or deletions.

**Name of the Vulnerable Software and Affected Versions** TP-Link Tapo APK up to v2.12.703 **Description** The issue is related to the use of hardcoded credentials for access to the login panel in the TP-Link Tapo APK. This allows a remote attacker to gain unauthorized access to protected information. The vulnerability is also associated with unencrypted storage of credentials. **Recommendations** For TP-Link Tapo APK up to v2.12.703, consider updating to a version that does not use hardcoded credentials for the login panel, if available. As a temporary workaround, restrict access to the login panel to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.