Fvi-Atto

**Name of the Vulnerable Software and Affected Versions** QuickAppsCMS version 2.0.0-beta2 **Description** The issue allows an unauthorized remote attacker to create an account with admin privileges due to a CSRF vulnerability in the `/admin/user/manage/add` API endpoint. **Recommendations** For QuickAppsCMS version 2.0.0-beta2, as a temporary workaround, consider disabling access to the `/admin/user/manage/add` endpoint until a patch is available. Restrict access to the admin user management functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** enhavo version 0.4.0 **Description** The issue allows for a cross-site scripting (XSS) attack via a user-group that contains executable JavaScript code in the `user-group` name. This attack is launched when a victim visits the "admin user group" page. **Recommendations** For version 0.4.0, consider restricting access to the admin user group page until a fix is available, and avoid using executable JavaScript code in user-group names.

**Name of the Vulnerable Software and Affected Versions** Hoosk version 1.7.0 **Description** A CSRF issue exists, allowing for account creation via the "/admin/users/new/add" API endpoint. **Recommendations** For Hoosk version 1.7.0, as a temporary workaround, consider restricting access to the "/admin/users/new/add" API endpoint until a patch is available.