Alejandro Amorín

**Name of the Vulnerable Software and Affected Versions** Subrion version 4.2.1 **Description** A Cross-site scripting (XSS) issue exists in the /panel/languages/ endpoint, allowing attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the `Title` parameter. This enables attackers to potentially steal user data or take control of user sessions. **Recommendations** For Subrion version 4.2.1, consider disabling access to the /panel/languages/ endpoint until a patch is available, and avoid using the `Title` parameter in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Subrion version 4.2.1 **Description** A Cross-site scripting (XSS) issue exists in the /panel/configuration/financial/ endpoint, allowing attackers to execute arbitrary web scripts or HTML via a crafted payload injected into several fields: `Minimum deposit`, `Maximum deposit`, and/or `Maximum balance`. **Recommendations** For Subrion version 4.2.1, as a temporary workaround, consider restricting access to the /panel/configuration/financial/ endpoint and avoid using the `Minimum deposit`, `Maximum deposit`, and `Maximum balance` fields until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CSZ CMS version 1.3.0 **Description** The issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Database Username` or `Database Host` parameters in the install/index.php file. This enables the execution of malicious code, potentially leading to security breaches. **Recommendations** For CSZ CMS version 1.3.0, consider disabling the install/index.php file until a patch is available to prevent exploitation. Restrict access to the `Database Username` and `Database Host` parameters to minimize the risk of arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.