K07Ix

**Name of the Vulnerable Software and Affected Versions** auraCMS version 1.62 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is possible via the `judul artikel` parameter in `teman.php` and the title of an article sent to the admin, displayed when unauthenticated users visit `index.php`. **Recommendations** For auraCMS version 1.62, as a temporary workaround, consider restricting access to the `teman.php` page and avoiding the use of the `judul artikel` parameter until a patch is available. Additionally, restrict the display of article titles from the admin to authenticated users only to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** auraCMS version 1.62 **Description** The issue allows remote attackers to execute arbitrary SQL commands and delete all shoutbox messages. This is achieved through SQL injection vulnerabilities, specifically via the `name` and `pesan` parameters. **Recommendations** For auraCMS version 1.62, as a temporary workaround, consider restricting access to the parameters `name` and `pesan` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.