Poizon

**Name of the Vulnerable Software and Affected Versions** CuteNews versions 1.4.0 and earlier **Description** The issue allows remote attackers to obtain the installation path of the application by triggering an error message. This can be achieved by entering multiple ../ (dot dot slash) in the `archive` parameter of the "index.php" endpoint. **Recommendations** For CuteNews versions 1.4.0 and earlier, consider restricting access to the `archive` parameter in the "index.php" endpoint until a fix is available. As a temporary workaround, avoid using the `archive` parameter with multiple ../ (dot dot slash) entries to minimize the risk of path disclosure.

**Name of the Vulnerable Software and Affected Versions** Greymatter (affected versions not specified) **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a post comment. This malicious input is recorded in a log file but not properly handled when the administrator uses the "View Control Panel Log" to read the log file. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.