Incibe

**Name of the Vulnerable Software and Affected Versions** Graylog versions 2.2.3 **Description** A Reflected Cross-Site Scripting (XSS) issue exists in the Graylog Web Interface console. This is due to insufficient sanitization and escaping of HTML output. The issue allows an attacker to inject and execute arbitrary JavaScript code when a user visits a specially crafted URL. Exploitation may allow script execution in the victim’s browser and limited manipulation of the affected user’s session context. The `/system/nodes/` endpoint is affected, as it includes segments of the URL directly in the response without applying output encoding. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Performance Evaluation (EDD) application versions (affected versions not specified) **Description** An out-of-band SQL injection vulnerability (OOB SQLi) exists in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploitation of this issue involves the `txAny` parameter within the ''/evaluacion competencias autoeval list.aspx'' endpoint, potentially allowing an attacker to extract sensitive information from the database through external channels. The application does not directly return the extracted data, which compromises the confidentiality of the stored information. OOB SQLi is a technique where the results of a SQL query are sent to an external server controlled by the attacker, rather than being displayed within the application itself. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.