Xjzzzxx

**Name of the Vulnerable Software and Affected Versions** GLPI versions prior to 10.0.17 **Description** The issue is related to a reflected XSS vulnerability in GLPI, a free asset and IT management software package. An unauthenticated user can provide a malicious link to a GLPI technician to exploit this vulnerability. This can allow a remote attacker to conduct a cross-site scripting (XSS) attack. **Recommendations** For versions prior to 10.0.17, upgrade to version 10.0.17 to resolve the issue. As a temporary workaround, consider restricting the ability of unauthenticated users to send links to GLPI technicians until the upgrade is applied.

**Name of the Vulnerable Software and Affected Versions** OpenFlights commit 5234b5b **Description** The issue is a Cross-Site Scripting (XSS) vulnerability found in the php/trip.php file. This allows for malicious scripts to be injected into the website, potentially leading to unauthorized access or control. **Recommendations** For OpenFlights commit 5234b5b, consider disabling access to the php/trip.php file until a patch is available to prevent exploitation of the Cross-Site Scripting vulnerability.

**Name of the Vulnerable Software and Affected Versions** openflights version 5234b5b **Description** The issue is a Cross-Site Scripting (XSS) vulnerability. It occurs via the "php/submit.php" endpoint. **Recommendations** For version 5234b5b, as a temporary workaround, consider disabling access to the "php/submit.php" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** openflights commit 5234b5b **Description** The issue is related to Cross-Site Scripting (XSS) via the php/settings.php file. This allows for potential malicious script execution. No information is provided about the estimated number of affected devices or real-world incidents. **Recommendations** For openflights commit 5234b5b, consider restricting access to the php/settings.php file until a fix is available. As a temporary workaround, avoid using the vulnerable php/settings.php file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** openflights version 5234b5b **Description** The issue is related to a Cross-Site Scripting (XSS) vulnerability. It affects the `php/alsearch.php` file. No information is provided about the estimated number of potentially affected devices or real-world incidents where this issue was exploited. **Recommendations** For openflights version 5234b5b, as a temporary workaround, consider restricting access to the `php/alsearch.php` file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** unmark version 1.9.2 **Description** The issue is a Cross Site Scripting (XSS) vulnerability found in the application/views/marks/add by url.php file. This allows for potential malicious script execution. **Recommendations** For version 1.9.2, consider restricting access to the `add by url.php` file until a patch is available. As a temporary workaround, avoid using the `add by url.php` functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpipam version 1.6 **Description** The issue is a Cross Site Scripting (XSS) vulnerability. It occurs through the `appadminimport-exportimport-load-data.php` file. This allows for potential malicious script execution. **Recommendations** For phpipam version 1.6, as a temporary workaround, consider restricting access to the `import-load-data.php` file until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RPi-Jukebox-RFID version 2.7.0 **Description** A remote code execution (RCE) issue was discovered in RPi-Jukebox-RFID, allowing for potential code execution via the "htdocsmanageFilesFolders.php" endpoint. **Recommendations** For RPi-Jukebox-RFID version 2.7.0, as a temporary workaround, consider disabling access to the "htdocsmanageFilesFolders.php" endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RPi-Jukebox-RFID version 2.7.0 **Description** A remote code execution vulnerability was discovered in RPi-Jukebox-RFID, allowing for potential unauthorized access and data compromise via the htdocstrackEdit.php file. **Recommendations** For RPi-Jukebox-RFID version 2.7.0, patch immediately and review access controls to mitigate the risk of exploitation. As a temporary workaround, consider restricting access to the `htdocstrackEdit.php` file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** RPi-Jukebox-RFID version 2.7.0 **Description** A remote code execution issue was discovered in RPi-Jukebox-RFID, allowing for potential code execution via the htdocsuserScripts.php file. **Recommendations** For RPi-Jukebox-RFID version 2.7.0, consider disabling access to the htdocsuserScripts.php file as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** RPi-Jukebox-RFID version 2.7.0 **Description** A remote code execution issue was discovered in RPi-Jukebox-RFID. The issue occurs via the "htdocs/api/playlist/appendFileToPlaylist.php" API endpoint. **Recommendations** For RPi-Jukebox-RFID version 2.7.0, consider disabling access to the "appendFileToPlaylist.php" file in the "htdocs/api/playlist" directory until a patch is available. Restrict access to the "htdocs/api/playlist/appendFileToPlaylist.php" API endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** RPi-Jukebox-RFID version 2.7.0 **Description** A remote code execution (RCE) issue was discovered in RPi-Jukebox-RFID. The issue is related to the `htdocsinc.setWlanIpMail.php` file, which allows for remote code execution. **Recommendations** For RPi-Jukebox-RFID version 2.7.0, consider restricting access to the `inc.setWlanIpMail.php` file in the `htdocs` directory until a patch is available. As a temporary workaround, disabling the execution of code from this file may help mitigate the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** RPi-Jukebox-RFID version 2.7.0 **Description** A remote code execution (RCE) issue was discovered in RPi-Jukebox-RFID. The issue is found in the htdocsincsetWifi.php file, allowing for remote code execution. **Recommendations** For RPi-Jukebox-RFID version 2.7.0, consider disabling access to the `setWifi.php` file as a temporary workaround until a patch is available. Restrict access to the `htdocsincsetWifi.php` file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Organizr version 1.90 **Description** The issue is related to Cross Site Scripting (XSS) via the "api.php" endpoint. This means an attacker could potentially inject malicious scripts into the website, affecting users' sessions. **Recommendations** For Organizr version 1.90, as a temporary workaround, consider disabling access to the "api.php" endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gazelle version 63b3370 **Description** A cross-site scripting (XSS) issue exists in the `/login/disabled.php` component, allowing attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `username` parameter. **Recommendations** For Gazelle version 63b3370, consider disabling the `/login/disabled.php` component until a patch is available to prevent exploitation of the XSS issue. Restrict access to this component to minimize the risk of arbitrary web script or HTML execution. Avoid using the `username` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PicUploader version fcf82ea **Description** A cross-site scripting (XSS) issue exists in the `/auth/AzureRedirect.php` component, allowing attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `error description` parameter. **Recommendations** For PicUploader version fcf82ea, consider disabling access to the `/auth/AzureRedirect.php` component until a patch is available. As a temporary workaround, restrict the use of the `error description` parameter in the affected component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Gazelle version 63b3370 **Description** A cross-site scripting (XSS) issue in the `/managers/enable requests.php` component allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `view` parameter. **Recommendations** For Gazelle version 63b3370, consider disabling access to the `/managers/enable requests.php` component until a patch is available. As a temporary workaround, restrict the use of the `view` parameter in the affected component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Gazelle (affected versions not specified) **Description** A cross-site scripting (XSS) vulnerability in the component "/managers/multiple freeleech.php" of Gazelle allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `torrents` parameter. **Recommendations** As a temporary workaround, consider restricting access to the "/managers/multiple freeleech.php" component until a patch is available. Avoid using the `torrents` parameter in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PicUploader version fcf82ea **Description** A cross-site scripting (XSS) issue exists in the `/master/auth/OnedriveRedirect.php` component, allowing attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `error description` parameter. **Recommendations** For PicUploader version fcf82ea, consider restricting access to the `/master/auth/OnedriveRedirect.php` component until a patch is available. As a temporary workaround, avoid using the `error description` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** dzzoffice version 2.02.1 **Description** The issue allows for Directory Traversal via the `user/space/about.php` endpoint. This means an attacker could potentially access files outside the intended directory structure by manipulating the input to the vulnerable endpoint. **Recommendations** For dzzoffice version 2.02.1, consider restricting access to the `user/space/about.php` endpoint until a patch is available. As a temporary workaround, review and limit file access permissions to minimize the risk of exploitation.