Ahmet Gürel

**Name of the Vulnerable Software and Affected Versions** SearchBlox version 8.6.6 **Description** The issue concerns a CSRF token bypass in the servlet/UserServlet endpoint. This allows for potential exploitation via the `u name`, `u passwd1`, `u passwd2`, `role`, and `X-XSRF-TOKEN` POST parameters. **Recommendations** For SearchBlox version 8.6.6, consider restricting access to the servlet/UserServlet endpoint until a patch is available. As a temporary workaround, disabling the use of the `u name`, `u passwd1`, `u passwd2`, `role`, and `X-XSRF-TOKEN` parameters in this endpoint may help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine Recovery Manager Plus versions prior to 5.3 (Build 5350) **Description** A stored Cross-site scripting (XSS) issue allows remote authenticated users with Add New Technician permissions to inject arbitrary web script or HTML via the `loginName` field to the "technicianAction.do" endpoint. **Recommendations** For versions prior to 5.3 (Build 5350), update to version 5.3 (Build 5350) or later to resolve the issue. As a temporary workaround, consider restricting access to the "technicianAction.do" endpoint for users with Add New Technician permissions until the update is applied.