Trichimtrichop

**Name of the Vulnerable Software and Affected Versions** Remarkable version 1.7.1 **Description** The issue arises from the mishandling of URL filtering in the lib/parser inline.js file, allowing attackers to trigger XSS via unprintable characters. This can be demonstrated by a `x0ejavascript:` URL, which showcases the vulnerability. **Recommendations** For version 1.7.1, consider disabling the URL filtering functionality in lib/parser inline.js until a patch is available to prevent exploitation. Restrict access to URLs that may contain unprintable characters to minimize the risk of XSS attacks.

**Name of the Vulnerable Software and Affected Versions** SLiMS versions 8 Akasia through 8.3.1 **Description** The issue allows for SQL injection through specific parameters and files, including `tableName` and `tableFields` in admin/AJAX lookup handler.php, as well as vulnerabilities in admin/AJAX check id.php and admin/AJAX vocabolary control.php. This can be exploited by remote authenticated librarian users. **Recommendations** For versions 8 Akasia through 8.3.1, consider restricting access to the vulnerable files admin/AJAX lookup handler.php, admin/AJAX check id.php, and admin/AJAX vocabolary control.php until a patch is available. As a temporary workaround, avoid using the `tableName` and `tableFields` parameters in the affected API endpoints.

**Name of the Vulnerable Software and Affected Versions** SLiMS versions 8 Akasia through 8.3.1 **Description** The issue is related to an arbitrary file reading problem due to directory traversal in the `url` parameter to "admin/help.php". This can be exploited by remote authenticated librarian users. **Recommendations** For versions 8 Akasia through 8.3.1, consider restricting access to the "admin/help.php" endpoint until a patch is available. As a temporary workaround, avoid using the `url` parameter in the affected endpoint to minimize the risk of exploitation.