Tu3N4Nh

**Name of the Vulnerable Software and Affected Versions** The Product Labels For Woocommerce (Sale Badges) WordPress plugin version 1.5.10 and earlier **Description** The issue allows admins to perform SQL injection attacks due to a parameter not being sanitized and escaped before use in a SQL statement. **Recommendations** For versions prior to 1.5.11, update to version 1.5.11 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Product Labels For Woocommerce (Sale Badges) versions prior to 1.5.9 **Description** The issue allows admins to perform SQL injection attacks due to a parameter not being sanitized and escaped before use in a SQL statement. **Recommendations** For versions prior to 1.5.9, update to version 1.5.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the SQL statement until a patch is available. Avoid using the vulnerable parameter in the affected SQL statement until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Simple File List WordPress plugin versions prior to 6.1.13 **Description** The issue is related to a Reflected Cross-Site Scripting flaw. It occurs because the plugin does not properly sanitise and escape a generated URL before outputting it back in an attribute. This could be exploited against admins. **Recommendations** For versions prior to 6.1.13, update to version 6.1.13 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin's functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NetBox version 4.1.0 **Description** A stored cross-site scripting (XSS) issue exists within the "Configuration History" feature of the "Admin" panel via the "/core/config-revisions/" endpoint, specifically through the "Add" action. An authenticated user can inject arbitrary JavaScript or HTML into the "Top banner" field. However, it is noted that multiple third parties have disputed this as not a vulnerability, arguing that the configuration revision banner feature is intended to contain unsanitized HTML for displaying notifications to users. **Recommendations** For NetBox version 4.1.0, consider restricting the use of the "Top banner" field in the "Configuration History" feature until the issue is resolved, as it may allow the injection of arbitrary JavaScript or HTML. However, given the dispute over whether this behavior is a vulnerability or intended functionality, careful consideration should be given to any mitigation measures to avoid unnecessary restrictions on the system's functionality. At the moment, there is no information about a newer version that contains a fix for this issue.