Pranav Jagtap

**Name of the Vulnerable Software and Affected Versions** Tiki version 17.1 **Description** The issue allows the upload of a .PNG file that actually contains SVG content, leading to a cross-site scripting (XSS) issue. This occurs because the software does not properly validate the content of uploaded files. **Recommendations** For Tiki version 17.1, consider disabling the image upload feature until a patch is available to prevent the upload of malicious files. Restrict access to the file upload module to minimize the risk of exploitation. Avoid using the image upload feature in sensitive areas of the application until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Tiki version 17.1 **Description** The issue allows HTML injection in the Calendar component. **Recommendations** For Tiki version 17.1, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Tiki version 17.1 **Description** The issue allows for a CSV Injection attack due to a lack of validation for special characters in user input. This can lead to malicious activity, such as opening a CMD.EXE or Calculator window on the victim machine. For example, a payload like "=cmd|' /C calc'!A0" can be used during User Creation to exploit this issue. **Recommendations** For Tiki version 17.1, update the software to a version that includes input validation for special characters to prevent CSV Injection attacks.

**Name of the Vulnerable Software and Affected Versions** MyBB version 1.8.14 **Description** The issue arises from the lack of validation for a valid CSRF token, allowing for the arbitrary deletion of user accounts. **Recommendations** For MyBB version 1.8.14, update to a version that includes a fix for this issue, as the current version does not properly check for a valid CSRF token.

**Name of the Vulnerable Software and Affected Versions** MyBB version 1.8.14 **Description** The issue allows for XSS via the Title or Description field on the Edit Forum screen. **Recommendations** For MyBB version 1.8.14, update to a version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Bolt CMS version 3.2.14 **Description** The issue allows stored XSS via text input, as demonstrated by the Title field of a New Entry. This can be exploited by injecting malicious code into the text input fields. **Recommendations** For Bolt CMS version 3.2.14, update to a version that contains a fix for this issue. As a temporary workaround, consider restricting access to the text input fields, such as the Title field of a New Entry, to minimize the risk of exploitation. Avoid using the `title` field in the affected entry creation process until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Bolt CMS version 3.2.14 **Description** The issue allows for stored XSS by uploading an SVG document with a "Content-Type: image/svg+xml" header. This can be exploited by uploading a malicious SVG file. **Recommendations** For Bolt CMS version 3.2.14, consider restricting the upload of SVG documents or validating the `Content-Type` header to prevent malicious uploads until a patch is available.