Crashpark

**Nome do software vulnerável e versões afetadas** Vermeg Agile Reporter versão 23.2.1 **Descrição** A vulnerabilidade consiste em um cross-site scripting (XSS) armazenado que permite que invasores executem scripts da web ou HTML arbitrários por meio de uma carga maliciosa injetada no campo `Message` do módulo Set Broadcast Message. Isso permite que invasores possam manipular o comportamento do aplicativo web ou roubar dados do usuário. **Recomendações** Para o Vermeg Agile Reporter versão 23.2.1, considere desativar o módulo Set Broadcast Message ou restringir o acesso a ele até que uma correção esteja disponível para impedir a exploração da vulnerabilidade XSS armazenada. Além disso, evite usar o campo `Message` no módulo Set Broadcast Message até que o problema seja resolvido. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

**Name of the Vulnerable Software and Affected Versions** VERMEG AgileReporter version 21.3 **Description** An issue was discovered in VERMEG AgileReporter where XXE can occur via an XML document to the Analysis component. **Recommendations** For VERMEG AgileReporter version 21.3, consider restricting access to the Analysis component to minimize the risk of exploitation until a patch is available. As a temporary workaround, avoid using XML documents that may trigger the XXE issue in the Analysis component. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** VERMEG AgileReporter version 21.3 **Description** An issue was discovered in the Analysis component, allowing an admin to enter an XSS payload. **Recommendations** For VERMEG AgileReporter version 21.3, consider restricting access to the Analysis component until a patch is available. As a temporary workaround, avoid using the Analysis component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** VERMEG AgileReporter version 21.3 **Description** An issue was discovered in VERMEG AgileReporter where attackers can gain privileges via an XSS payload in an Add Comment action to the Activity log. **Recommendations** For VERMEG AgileReporter version 21.3, consider disabling the Add Comment action to the Activity log until a patch is available to prevent exploitation via XSS payload.