Yann Chalenã§On

Name of the Vulnerable Software and Affected Versions: vtiger CRM versions prior to 7.0.1 Description: The issue is a reflected Cross-Site Scripting (XSS) vulnerability that could allow remote unauthenticated attackers to inject arbitrary web script or HTML via the "index.php?module=Contacts&view=List" API endpoint, specifically using the `app` parameter. This allows attackers to potentially execute malicious scripts on the victim's browser. Recommendations: For versions prior to 7.0.1, consider disabling access to the "index.php?module=Contacts&view=List" API endpoint until a patch is available. As a temporary workaround, restrict the use of the `app` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Dolibarr ERP/CRM versions prior to 5.0.4 **Description** The issue concerns SQL injection. It can be exploited via the "product/stats/card.php" API endpoint, specifically through the `type` parameter. **Recommendations** For versions prior to 5.0.4, update to version 5.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "product/stats/card.php" endpoint or avoiding the use of the `type` parameter until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Dolibarr ERP/CRM versions prior to 5.0.4 **Description** The issue concerns multiple reflected Cross-Site Scripting (XSS) vulnerabilities. The affected API endpoints and parameters include: "index.php" with the `leftmenu` parameter, "core/ajax/box.php" with the `PATH INFO`, "product/stats/card.php" with the `type` parameter, "holiday/list.php" with the `month create`, `month start`, and `month end` parameters, and "don/card.php" with the `societe`, `lastname`, `firstname`, `address`, `zipcode`, `town`, and `email` parameters. **Recommendations** For versions prior to 5.0.4, update to version 5.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints until the update is applied. Avoid using the specified parameters in the affected endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 5.0.1-dev **Description** The issue allows authenticated non-administrator users to view and modify information that is only accessible to administrators, due to a vertical privilege escalation. **Recommendations** For OpenEMR versions prior to 5.0.1-dev, update to a version that contains a fix for this issue to prevent unauthorized access and modification of sensitive information.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions prior to 5.0.0 **Description** The issue affects the OpenEMR application, allowing remote authenticated attackers to inject arbitrary web script or HTML due to multiple reflected and stored Cross-Site Scripting (XSS) vulnerabilities. **Recommendations** For versions prior to 5.0.0, update to version 5.0.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Dolibarr ERP/CRM versions 5.0.3 and prior **Description** The issue allows low-privilege users to upload files of dangerous types, potentially resulting in arbitrary code execution within the context of the vulnerable application. **Recommendations** For versions 5.0.3 and prior, restrict file upload capabilities to prevent the upload of dangerous file types until a fix is available. As a temporary workaround, consider disabling file upload functionality for low-privilege users to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** OpenEMR versions 5.0.0 and prior **Description** The issue allows low-privilege users to upload files of dangerous types, which can result in arbitrary code execution within the context of the vulnerable application. **Recommendations** For OpenEMR versions 5.0.0 and prior, at the moment, there is no information about a newer version that contains a fix for this vulnerability.