Pcsjj

**Name of the Vulnerable Software and Affected Versions** ZPanel versions 10.0.1 and earlier **Description** The issue allows remote attackers to hijack the authentication of administrators for requests, including creating new FTP users, conducting cross-site scripting (XSS) attacks, and conducting SQL injection attacks. This can be achieved through various actions and parameters, such as the `CreateFTP` action in the `ftp management` module, the `inFullname` parameter in an `UpdateAccountSettings` action in the `my account` module, and the `inEmailAddress` parameter in an `UpdateClient` action in the `manage clients` module. **Recommendations** For ZPanel versions 10.0.1 and earlier, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZPanel versions 10.0.1 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `inFullname` parameter in an UpdateAccountSettings action in the my account module to "zpanel/". **Recommendations** For ZPanel versions 10.0.1 and earlier, consider restricting access to the my account module until a fix is available. As a temporary workaround, avoid using the `inFullname` parameter in the UpdateAccountSettings action.

**Name of the Vulnerable Software and Affected Versions** ZPanel versions 10.0.1 and earlier **Description** A SQL injection issue allows remote attackers to execute arbitrary SQL commands via the `inEmailAddress` parameter in an UpdateClient action in the manage clients module. **Recommendations** For ZPanel versions 10.0.1 and earlier, update to a version later than 10.0.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** White Label CMS plugin versions prior to 1.5.1 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of administrators for requests that modify the developer name via the `wlcms o developer name` parameter in a save action to "wp-admin/admin.php". This can be exploited by including XSS sequences in the developer name. **Recommendations** For versions prior to 1.5.1, update to version 1.5.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "wp-admin/admin.php" endpoint to minimize the risk of exploitation. Avoid using the `wlcms o developer name` parameter in the affected save action until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** White Label CMS plugin version 1.5 for WordPress **Description** A cross-site scripting (XSS) issue allows remote authenticated administrators to inject arbitrary web script or HTML. This is achieved via the `wlcms o developer name` parameter in a save action to "wp-admin/admin.php". **Recommendations** For White Label CMS plugin version 1.5, avoid using the `wlcms o developer name` parameter in the save action to "wp-admin/admin.php" until the issue is resolved. As a temporary workaround, consider restricting access to the wp-admin/admin.php endpoint to minimize the risk of exploitation.