Holychang

**Name of the Vulnerable Software and Affected Versions** Maccms versions through 8.0 **Description** The issue allows for XSS via the `site keywords` field to "index.php?m=system-config" because of vulnerabilities in tpl/module/system.php and tpl/html/system config.html, related to template/paody/html/vod index.html. **Recommendations** For versions through 8.0, consider restricting access to the `site keywords` field in the "index.php?m=system-config" endpoint until a patch is available. As a temporary workaround, consider disabling the vulnerable template files, specifically tpl/module/system.php and tpl/html/system config.html, to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Maccms version 8.0 **Description** The issue allows for XSS via the `t key` parameter in the inc/config/cache.php file. This is because the template/paody/html/vod type.html file mishandles the `keywords` parameter, and the a/tpl/module/db.php file only filters the `t name` parameter, not the `t key` parameter. **Recommendations** For Maccms version 8.0, consider restricting access to the `t key` parameter in the inc/config/cache.php file until a patch is available. As a temporary workaround, avoid using the `t key` parameter in the affected API endpoint until the issue is resolved.