Dirk Haun

**Name of the Vulnerable Software and Affected Versions** Geeklog version 1.3.7 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through several parameters, including the `cid` parameter to "comment.php", the `uid` parameter to "profiles.php" and "users.php", and the `homepage` field. **Recommendations** For Geeklog version 1.3.7, consider restricting access to the vulnerable parameters, such as `cid`, `uid`, and the `homepage` field, until a patch is available. As a temporary workaround, avoid using these parameters in the affected API endpoints, specifically "comment.php", "profiles.php", and "users.php", to minimize the risk of exploitation.