Yunus Emre Yilmaz

**Name of the Vulnerable Software and Affected Versions** Neocrome Seditio version 102 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via an HTTP Referer field. This could potentially lead to unauthorized actions on the affected system. **Recommendations** For Neocrome Seditio version 102, consider validating and sanitizing all input data, including HTTP Referer fields, to prevent the injection of malicious scripts. As a temporary workaround, restrict access to sensitive areas of the application until a proper fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BoastMachine (bMachine) versions 3.1 and earlier **Description** A cross-site scripting (XSS) issue exists due to improper filtering of the query string when accessed using the `$ SERVER["PHP SELF"]` variable. This allows remote attackers to inject arbitrary web script or HTML via the query string in files such as `index.php` and `bmc/admin.php`. **Recommendations** For versions 3.1 and earlier, as a temporary workaround, consider filtering or validating user input in the query string to prevent injection of malicious scripts. Restrict access to sensitive files like `index.php` and `bmc/admin.php` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PeHePe Uyelik Sistemi (aka PeHePe MemberShip Management System) version 3 **Description** The issue allows remote attackers to include and execute arbitrary PHP code via a URL in the `uye klasor` parameter, along with a `misafir[]` parameter that is set to `UYE SEVIYE`. This can be exploited by sending a crafted request to the `sol menu.php` file. **Recommendations** For PeHePe Uyelik Sistemi (aka PeHePe MemberShip Management System) version 3, consider validating and sanitizing the `uye klasor` and `misafir[]` parameters to prevent the inclusion of arbitrary PHP code. As a temporary workaround, restrict access to the `sol menu.php` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** EJ3 TOPo version 2.2.178 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `gTopNombre` parameter in the inc header.php file. **Recommendations** For version 2.2.178, avoid using the `gTopNombre` parameter in the affected API endpoint until the issue is resolved.