Pedro Andjar

**Name of the Vulnerable Software and Affected Versions** E-Business Designer (eBD) versions 3.1.4 and earlier **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the `id` parameter in the form grupo.html file. This might be related to a SQL injection issue. **Recommendations** For versions 3.1.4 and earlier, avoid using the `id` parameter in the form grupo.html file until a fix is available. As a temporary workaround, consider restricting access to the form grupo.html file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** E-Business Designer (eBD) versions 3.1.4 and earlier **Description** The issue allows remote attackers to upload or modify arbitrary files and execute arbitrary code by making a direct request to specific API endpoints, such as "common/html editor/image browser.upload.html", "common/html editor/image browser.html", or "common/html editor/html editor.html". This can also be exploited for cross-site scripting (XSS) attacks by uploading cascading style sheet (.CSS) files. **Recommendations** For versions 3.1.4 and earlier, consider restricting access to the vulnerable API endpoints "common/html editor/image browser.upload.html", "common/html editor/image browser.html", and "common/html editor/html editor.html" to prevent arbitrary file uploads and code execution. As a temporary workaround, avoid using these endpoints until a patch is available.