Pham Kien Cuong

**Name of the Vulnerable Software and Affected Versions** WoltLab Community Gallery version 2.0 before 2014-12-26 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `parameters[data][7][title]` parameter in a "saveImageData" action to "index.php/AJAXProxy". This is a cross-site scripting (XSS) issue. **Recommendations** For WoltLab Community Gallery version 2.0 before 2014-12-26, update to a version released after 2014-12-26 to resolve the issue. As a temporary workaround, consider restricting access to the "saveImageData" action in "index.php/AJAXProxy" to minimize the risk of exploitation. Avoid using the `parameters[data][7][title]` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Redaxscript versions prior to 2.3.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `search terms` parameter in the `search post` function, located in includes/search.php. **Recommendations** For versions prior to 2.3.0, update to version 2.3.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the `search post` function in includes/search.php to minimize the risk of exploitation. Avoid using the `search terms` parameter in the affected function until the issue is resolved.