Nanoymaster

**Name of the Vulnerable Software and Affected Versions** ph03y3nk just another flat file (JAF) CMS version 4.0 RC1 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via the `message` parameter in the `/module/shout/jafshout.php` endpoint, and possibly other parameters. Additionally, the issue can be exploited through the message body in a forum post in the `/module/forum/topicwin.php` endpoint, related to the `name`, `email`, `title`, `date`, `ldate`, and `lname` variables. **Recommendations** For ph03y3nk just another flat file (JAF) CMS version 4.0 RC1, consider disabling the shoutbox functionality in `module/shout/jafshout.php` and restricting user input in the forum post functionality in `module/forum/topicwin.php` to minimize the risk of exploitation. Avoid using the `message` parameter in the `/module/shout/jafshout.php` endpoint and the `name`, `email`, `title`, `date`, `ldate`, and `lname` variables in the `/module/forum/topicwin.php` endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ph03y3nk just another flat file (JAF) CMS version 4.0 RC1 **Description** The issue allows remote attackers to execute arbitrary code within sections bounded by "<?php" and "?>", possibly due to a static code injection vulnerability involving admin/data inc.php. **Recommendations** For ph03y3nk just another flat file (JAF) CMS version 4.0 RC1, consider restricting access to the `module/shout/jafshout.php` file and the `admin/data inc.php` script until a patch is available. As a temporary workaround, restrict the execution of code within sections bounded by "<?php" and "?>". At the moment, there is no information about a newer version that contains a fix for this vulnerability.