#php

Employee Management System version 1.0 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

WonderCMS version 4.3.2 remote exploit that leverages cross site scripting to achieve remote code execution.

User Registration and Login and User Management System version 3.1 suffers from a remote SQL injection vulnerability.

An issue was discovered in REDAXO version 5.15.1, allows attackers to execute arbitrary code and obtain sensitive information via modules.modules.php.

This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.

Adapt CMS version 3.0.3 suffers from persistent cross site scripting and remote shell upload vulnerabilities.

XoopsCore25 version 2.5.11 suffers from a cross site scripting vulnerability.

### Problem Configurable storages using the local driver of the File Abstraction Layer (FAL) could be configured to access directories outside of the root directory of the corresponding project. The system setting in `BE/lockRootPath` was not evaluated by the file abstraction layer component. An administrator-level backend user account is required to exploit this vulnerability. ### Solution Update to TYPO3 versions 8.7.57 ELTS, 9.5.46 ELTS, 10.4.43 ELTS, 11.5.35 LTS, 12.4.11 LTS, 13.0.1 that fix the problem described. #### ℹ️ **Strong security defaults - Manual actions required** _see [Important: #102800 changelog](https://docs.typo3.org/c/typo3/cms-core/main/en-us/Changelog/11.5.x/Important-102800-FileAbstractionLayerEnforcesAbsolutePathsToMatchProjectRootOrLockRootPath.html)_ Assuming that a web project is located in the directory `/var/www/example.org` (the "project root path" for Composer-based projects) and the publicly accessible directory is located at `/var/www/example.org/...

Complaint Management System version 2.0 suffers from multiple remote SQL injection vulnerabilities.

### Impact Several files within the local working directory are included during the invocation of Composer and in the context of the executing user. As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. All Composer CLI commands are affected, including composer.phar's self-update. The following are of high risk: - Composer being run with sudo. - Pipelines which may execute Composer on untrusted projects. - Shared environments with developers who run Composer individually on the same project. ### Patches 2.7.0, 2.2.23 ### Workarounds - It is advised that the patched versions are applied at the earliest convenience. Where not possible, the following should be addressed: - Remove all sudo composer privileges for all users to mitigate root privilege escalation. - Avoid running Composer within an untrusted direct...