Anxo Januario Gonzales

**Name of the Vulnerable Software and Affected Versions** BuddyBoss version 2.2.9 **Description** The issue allows an authenticated user to access and rename other users' albums by exploiting an authorization bypass vulnerability. This can be done by changing the album identification (`id`). **Recommendations** For BuddyBoss version 2.2.9, consider restricting access to album renaming functionality until a patch is available. As a temporary workaround, monitor album modifications closely to detect potential unauthorized changes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BuddyBoss version 2.2.9 **Description** The issue is a Cross-Site Scripting vulnerability that could allow a local attacker with basic privileges to execute a malicious payload through the `name` parameter, specifically when set to `image.jpg`. This allows the assignment of a persistent JavaScript payload that would be triggered when the associated image is loaded. **Recommendations** For BuddyBoss version 2.2.9, consider disabling the ability to upload images or restricting the use of the `name` parameter to minimize the risk of exploitation until a patch is available. Avoid using the `name` parameter in affected endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** BuddyBoss Platform version 2.2.9 **Description** A stored XSS issue has been found, allowing an attacker to store a malicious javascript payload via a POST request when sending an invitation. This enables the attacker to execute malicious code on the platform. **Recommendations** For version 2.2.9, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting the ability to send invitations or disabling the invitation feature until a patch is available. Avoid using the vulnerable functionality until the issue is resolved.