Blwood

**Name of the Vulnerable Software and Affected Versions** Nuked-Klan version 1.7 SP4.3 **Description** The issue allows remote attackers to bypass anti-XSS features and inject arbitrary web script or HTML via JavaScript in an attribute value that is not in the blacklist. This can be demonstrated using the STYLE attribute of a B element. **Recommendations** For Nuked-Klan version 1.7 SP4.3, consider updating the blacklist in the nk CSS function to include all potentially vulnerable attributes, such as the STYLE attribute, to prevent bypassing of anti-XSS features. As a temporary workaround, consider restricting the use of JavaScript in attribute values until a comprehensive fix is applied.

**Name of the Vulnerable Software and Affected Versions** Nuked-Klan versions 1.7.5 and earlier Nuked-Klan version 1.7 SP4.2 **Description** A cross-site request forgery (CSRF) issue exists in the del block function, allowing remote attackers to delete arbitrary blocks. This is achieved by modifying the `bid` parameter in a del block operation on the block page in index.php. **Recommendations** For Nuked-Klan versions 1.7.5 and earlier, restrict access to the del block function in modules/Admin/block.php to prevent unauthorized deletion of blocks. For Nuked-Klan version 1.7 SP4.2, consider disabling the del block function until a fix is available to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** Tikiwiki versions 1.9.x **Description** The issue allows remote attackers to inject arbitrary web script or HTML via malformed nested HTML tags. This can be done through various parameters in different PHP files, including `offset` and `days` in "tiki-lastchanges.php", `find` and `offset` in "tiki-orphan pages.php", `offset` and `initial` in "tiki-listpages.php", and an unspecified field in "tiki-remind password.php". Additionally, remote authenticated users with admin privileges can inject arbitrary web script or HTML via unspecified fields in various admin PHP files, including "tiki-admin.php", "tiki-admin rssmodules.php", "tiki-syslog.php", "tiki-adminusers.php", "tiki-admin hotwords.php", "tiki-admin modules.php", "tiki-admin notifications.php", "tiki-admin dsn.php", "tiki-admin content templates.php", and "tiki-admin chat.php". The `offset` parameter is vulnerable in several of these files. **Recommendations** For Tikiwiki version 1.9.x, consider disabling the affected PHP files until a patch is available. Restrict access to the vulnerable parameters, such as `offset`, `days`, `find`, `initial`, `numrows`, `Name`, and `Dsn`, to minimize the risk of exploitation. Avoid using unspecified fields in admin actions, such as metatags and "Assign new module", until the issue is resolved. As a temporary workaround, limit the privileges of admin users to reduce the potential impact of the issue.