Oran9E

**Name of the Vulnerable Software and Affected Versions** Axublog version 1.1.0 **Description** The issue allows remote code execution by injecting PHP code into the cmsconfig.php file. This is demonstrated through the injection of PHP code contained in the `webkeywords` parameter. **Recommendations** For Axublog version 1.1.0, as a temporary workaround, consider restricting access to the `webkeywords` parameter to minimize the risk of exploitation. Avoid using the `webkeywords` parameter until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Z-BlogPHP version 1.5.2 **Description** The issue allows an administrator to inject a Cross Site Scripting (XSS) payload via the `ZC BLOG NAME` parameter in the "Web site settings --> Basic setting --> Website title" section, accessible through the zb system/cmd.php endpoint, specifically the "Web site settings --> Basic setting --> Website title" page. The vendor has disputed the security relevance of this issue, characterizing it as a functional bug rather than a security vulnerability. **Recommendations** For Z-BlogPHP version 1.5.2, as a temporary workaround, consider restricting access to the `ZC BLOG NAME` parameter in the zb system/cmd.php endpoint to minimize the risk of exploitation. Avoid using the `ZC BLOG NAME` parameter in the affected section until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: EasyCMS version 1.3 Description: The issue allows for XSS via the `s` POST parameter in an "index.php?s=/index/search/index.html" request. This is related to a search box value. Recommendations: For EasyCMS version 1.3, consider restricting the use of the search function until a fix is available, or avoid using the `s` parameter in the "index.php?s=/index/search/index.html" request to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: MiniCMS version 1.10 Description: The issue allows for XSS via the `title` parameter in the "mc-admin/post-edit.php" API endpoint. Recommendations: For MiniCMS version 1.10, avoid using the `title` parameter in the "mc-admin/post-edit.php" endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the "mc-admin/post-edit.php" endpoint to minimize the risk of exploitation.