Tsutomu Aramaki

**Name of the Vulnerable Software and Affected Versions** SkyBridge BASIC MB-A130 versions prior to 1.5.8 **Description** Improper neutralization of special elements used in an OS command ('OS Command Injection') exists in the software. If exploited, a remote unauthenticated attacker may execute arbitrary OS commands with root privileges. **Recommendations** SkyBridge BASIC MB-A130 versions prior to 1.5.8: Update to version 1.5.8 or later.

**Name of the Vulnerable Software and Affected Versions** Group Office versions prior to 6.6.182 Group Office versions prior to 6.7.64 Group Office versions prior to 6.8.31 **Description** A cross-site scripting issue exists, which may allow a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product. **Recommendations** For versions prior to 6.6.182, update to version 6.6.182 or later. For versions prior to 6.7.64, update to version 6.7.64 or later. For versions prior to 6.8.31, update to version 6.8.31 or later.

**Name of the Vulnerable Software and Affected Versions** Joruri Gw versions 3.2.5 and earlier **Description** A cross-site scripting issue allows a remote authenticated attacker to inject an arbitrary script via the Message Memo function of the affected product. **Recommendations** For versions 3.2.5 and earlier, consider disabling the Message Memo function until a patch is available to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** Modern Events Calendar Lite versions prior to 6.3.0 **Description** A cross-site scripting issue allows a remote authenticated attacker to inject an arbitrary script via unspecified vectors. **Recommendations** For versions prior to 6.3.0, update to version 6.3.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Mobile browser color select plugin for WordPress versions up to, and including, 1.0.1 **Description** The issue is due to missing or incorrect nonce validation on the `admin update data()` function, making it possible for unauthenticated attackers to inject malicious web scripts via forged requests. This can happen if an attacker can trick a site administrator into performing an action, such as clicking on a link. **Recommendations** For versions up to, and including, 1.0.1, consider disabling the `admin update data()` function until a patch is available to prevent exploitation. Restrict access to the plugin's administrative features to minimize the risk of unauthorized requests.

**Name of the Vulnerable Software and Affected Versions** WPMK Ajax Finder WordPress plugin versions up to and including 1.0.1 **Description** The issue is related to Cross-Site Request Forgery, which occurs due to a missing nonce check in the `createplugin atf admin setting page()` function found in the ~/inc/config/create-plugin-config.php file. This allows attackers to inject arbitrary web scripts. **Recommendations** For versions up to and including 1.0.1, consider disabling the `createplugin atf admin setting page()` function until a patch is available to prevent exploitation. Restrict access to the ~/inc/config/create-plugin-config.php file to minimize the risk of arbitrary web script injection. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Quiz And Survey Master versions prior to 7.3.7 **Description** A stored cross-site scripting issue allows a remote authenticated attacker to inject an arbitrary script via a website that uses Quiz And Survey Master. **Recommendations** For versions prior to 7.3.7, update to version 7.3.7 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: GroupSession Free edition versions 5.1.1 and earlier GroupSession byCloud versions 5.1.1 and earlier GroupSession ZION versions 5.1.1 and earlier Description: The issue allows a remote unauthenticated attacker to redirect users to arbitrary web sites and conduct phishing attacks by having a user access a specially crafted URL. Recommendations: For GroupSession Free edition versions 5.1.1 and earlier, consider restricting access to URLs that could be used for phishing attacks until a patch is available. For GroupSession byCloud versions 5.1.1 and earlier, avoid using URLs that could be exploited for open redirects until the issue is resolved. For GroupSession ZION versions 5.1.1 and earlier, as a temporary workaround, consider disabling access to external URLs to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: GroupSession Free edition versions 5.1.1 and earlier GroupSession byCloud versions 5.1.1 and earlier GroupSession ZION versions 5.1.1 and earlier Description: A path traversal vulnerability allows an attacker with administrative privilege to obtain sensitive information stored in the hierarchy above the directory on the published site's server via unspecified vectors. Recommendations: For GroupSession Free edition versions 5.1.1 and earlier, update to a version later than 5.1.1 to resolve the issue. For GroupSession byCloud versions 5.1.1 and earlier, update to a version later than 5.1.1 to resolve the issue. For GroupSession ZION versions 5.1.1 and earlier, update to a version later than 5.1.1 to resolve the issue. As a temporary workaround, consider restricting access to sensitive information stored on the server to minimize the risk of exploitation.