Yutaka Watanabe

**Name of the Vulnerable Software and Affected Versions** FitNesse versions prior to 20220319 **Description** A cross-site scripting issue exists, which may allow a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is using the product and accessing a link with a specially crafted certain parameter. **Recommendations** For versions prior to 20220319, update to a version released after 20220319 to resolve the issue. As a temporary workaround, consider restricting access to links with specially crafted parameters until a patch is available.

**Name of the Vulnerable Software and Affected Versions** pfSense CE versions 2.5.2 and earlier pfSense Plus versions 21.05 and earlier **Description** A cross-site scripting issue allows a remote attacker to inject an arbitrary script via a malicious URL. This enables the attacker to execute unauthorized actions on the affected system. **Recommendations** For pfSense CE versions 2.5.2 and earlier, update to a version later than 2.5.2 to resolve the issue. For pfSense Plus versions 21.05 and earlier, update to a version later than 21.05 to resolve the issue. As a temporary workaround, consider restricting access to potentially vulnerable URLs to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** pfSense CE versions prior to 2.6.0 pfSense Plus versions prior to 22.01 **Description** The issue is related to improper input validation, allowing a remote attacker with the privilege to change OpenVPN client or server settings to execute an arbitrary command. This can be done by exploiting the vulnerability in the OpenVPN client or server settings. **Recommendations** For pfSense CE versions prior to 2.6.0, update to version 2.6.0 or later to resolve the issue. For pfSense Plus versions prior to 22.01, update to version 22.01 or later to resolve the issue. As a temporary workaround, consider restricting access to the OpenVPN client or server settings until a patch is available.

**Name of the Vulnerable Software and Affected Versions** pfSense CE versions prior to 2.6.0 pfSense Plus versions prior to 22.01 **Description** The issue is related to improper access control in pfSense CE and pfSense Plus, allowing a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system. This may result in arbitrary command execution. **Recommendations** For pfSense CE versions prior to 2.6.0, update to version 2.6.0 or later to resolve the issue. For pfSense Plus versions prior to 22.01, update to version 22.01 or later to resolve the issue. As a temporary workaround, consider restricting access to the NTP GPS settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** pfSense-pkg-WireGuard versions 0.1.5 through 0.1.5 3 pfSense-pkg-WireGuard versions 0.1.6 through 0.1.6 0 **Description** A directory traversal issue allows a remote authenticated attacker to lead a pfSense user to view a file outside the public folder. **Recommendations** For pfSense-pkg-WireGuard versions 0.1.5 through 0.1.5 3, update to version 0.1.5 4 or later. For pfSense-pkg-WireGuard versions 0.1.6 through 0.1.6 0, update to version 0.1.6 1 or later.

Name of the Vulnerable Software and Affected Versions: ELECOM NCC-EWF100RMWH2 (affected versions not specified) Description: A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators and execute an arbitrary request via an unspecified vector. This can result in the alteration of device settings and/or the starting of the telnet daemon. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.x through 4.9.4 phpMyAdmin versions 5.x through 5.0.1 **Description** A SQL injection issue has been found where certain parameters are not properly escaped when generating queries for search actions in libraries/classes/Controllers/Table/TableSearchController.php. This allows an attacker to create a crafted database or table name. The attack can occur when a user performs specific search operations on the malicious database or table. **Recommendations** For phpMyAdmin versions 4.x through 4.9.4, update to version 4.9.5 or later. For phpMyAdmin versions 5.x through 5.0.1, update to version 5.0.2 or later.

**Name of the Vulnerable Software and Affected Versions** phpMyAdmin versions 4.x through 4.9.4 phpMyAdmin versions 5.x through 5.0.1 **Description** A SQL injection issue was found where malicious code could be used to trigger an XSS attack through retrieving and displaying results. This occurs in files such as tbl get field.php and libraries/classes/Display/Results.php. The attacker must be able to insert crafted data into certain database tables, which when retrieved, for instance, through the Browse tab, can trigger the XSS attack. **Recommendations** For phpMyAdmin versions 4.x through 4.9.4, update to version 4.9.5 or later. For phpMyAdmin versions 5.x through 5.0.1, update to version 5.0.2 or later.