Romanhu

**Name of the Vulnerable Software and Affected Versions** CMSmadesimple version 2.2.18 **Description** An issue in the software allows a local attacker to execute arbitrary code via a crafted payload to the `Content Manager Menu` component. **Recommendations** For CMSmadesimple version 2.2.18, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** CMSmadesimple version 2.2.18 **Description** A Cross Site Scripting issue allows a local attacker to execute arbitrary code via a crafted script to the `Top Directory` parameter in the `File Picker Menu` component. This enables the attacker to inject malicious scripts, potentially leading to unauthorized actions on the system. **Recommendations** For CMSmadesimple version 2.2.18, consider disabling the `File Picker Menu` component until a patch is available to prevent exploitation of the Cross Site Scripting issue. Restrict access to the `Top Directory` parameter to minimize the risk of arbitrary code execution.

**Name of the Vulnerable Software and Affected Versions** RiteCMS version 3.0 **Description** A File upload issue allows a local attacker to upload a SVG file containing XSS content. **Recommendations** For RiteCMS version 3.0, consider restricting file uploads to prevent exploitation until a fix is available. As a temporary workaround, disable the ability to upload SVG files to minimize the risk of XSS attacks.

**Name of the Vulnerable Software and Affected Versions** Zenario CMS version 9.4.59197 **Description** A Cross-Site Scripting (XSS) issue allows a local attacker to execute arbitrary code via a crafted script to the Spare aliases from Alias. This enables the attacker to potentially perform unauthorized actions on the system. **Recommendations** For Zenario CMS version 9.4.59197, consider disabling access to the Spare aliases from Alias feature until a patch is available to prevent exploitation of this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CMSmadesimple version 2.2.18 **Description** A Cross Site Scripting issue allows a local attacker to execute arbitrary code via a crafted script to the `Title` parameter in the News Menu component. This enables the attacker to perform unauthorized actions. **Recommendations** For CMSmadesimple version 2.2.18, consider disabling the News Menu component until a patch is available to prevent exploitation. Restrict access to the Title parameter to minimize the risk of arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** CMSmadesimple version 2.2.18 **Description** The issue allows a local attacker to execute arbitrary code via a crafted script to the `password` and `password again` parameters in the My Preferences - Add user component. This enables the attacker to perform Cross Site Scripting attacks. **Recommendations** For CMSmadesimple version 2.2.18, update to a version that fixes this issue to prevent exploitation. As a temporary workaround, consider restricting access to the My Preferences - Add user component until a patch is available. Avoid using the `password` and `password again` parameters in the affected component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** CMSmadesimple version 2.2.18 **Description** A Cross Site Scripting issue allows a local attacker to execute arbitrary code via a crafted script to the `Global Meatadata` parameter in the Global Settings Menu component. This enables the attacker to perform unauthorized actions. **Recommendations** For CMSmadesimple version 2.2.18, consider disabling access to the Global Settings Menu component until a patch is available. Restrict modifications to the `Global Meatadata` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CMSmadesimple version 2.2.18 **Description** A Cross Site Scripting issue allows a local attacker to execute arbitrary code via a crafted script to the `Profiles` parameter in the Extensions - MicroTiny WYSIWYG editor component. This enables the attacker to perform unauthorized actions. **Recommendations** For CMSmadesimple version 2.2.18, consider disabling the MicroTiny WYSIWYG editor component until a patch is available to prevent exploitation of the Cross Site Scripting issue. Restrict access to the `Profiles` parameter to minimize the risk of arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** opensolution Quick CMS version 6.7 **Description** A cross-site scripting (XSS) issue allows a local attacker to execute arbitrary code via a crafted script to the `Backend - Dashboard` parameter in the `Languages Menu` component. This enables the attacker to perform unauthorized actions. **Recommendations** For opensolution Quick CMS version 6.7, consider disabling access to the `Languages Menu` component until a patch is available to prevent exploitation of the XSS vulnerability. Restrict the use of the `Backend - Dashboard` parameter to minimize the risk of arbitrary code execution.

**Name of the Vulnerable Software and Affected Versions** CMSmadesimple version 2.2.18 **Description** A Cross Site Scripting issue allows a local attacker to execute arbitrary code via a crafted script to the `extra` parameter in the news menu component. This enables the attacker to perform unauthorized actions on the system. **Recommendations** For CMSmadesimple version 2.2.18, consider disabling the news menu component until a patch is available to prevent exploitation. Restrict access to the `extra` parameter to minimize the risk of arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CMSmadesimple version 2.2.18 **Description** A Cross Site Scripting issue allows a local attacker to execute arbitrary code via a crafted script to the `Title` parameter in the Manage Shortcuts component. This enables the attacker to perform unauthorized actions. **Recommendations** For CMSmadesimple version 2.2.18, consider disabling the Manage Shortcuts component until a patch is available to prevent exploitation of the `Title` parameter. Restrict access to this component to minimize the risk of arbitrary code execution. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CMSmadesimple version 2.2.18 **Description** A Cross Site Scripting issue allows a local attacker to execute arbitrary code via a crafted script to the `Page Specific Metadata` and `Smarty data` parameters in the Content Manager Menu component. **Recommendations** For CMSmadesimple version 2.2.18, update to a version that fixes this issue, as the current version allows for the execution of arbitrary code by a local attacker. As a temporary workaround, consider restricting access to the Content Manager Menu component until a patch is available. Avoid using the `Page Specific Metadata` and `Smarty data` parameters in the affected component until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Subrion CMS version 4.2.1 **Description** Multiple Cross-Site Scripting (XSS) vulnerabilities in the installation of Subrion CMS allow a local attacker to execute arbitrary web scripts via a crafted payload injected into the `dbhost`, `dbname`, `dbuser`, `adminusername`, and `adminemail`. **Recommendations** For Subrion CMS version 4.2.1, consider disabling the installation process until a patch is available to prevent exploitation of the XSS vulnerabilities. Restrict access to the vulnerable parameters `dbhost`, `dbname`, `dbuser`, `adminusername`, and `adminemail` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** opensolution Quick CMS version 6.7 **Description** A cross-site scripting (XSS) issue allows a local attacker to execute arbitrary code via a crafted script to the `SEO - Meta description` parameter in the Pages Menu component. This enables the attacker to perform actions on the website that they would not normally be able to do. **Recommendations** For opensolution Quick CMS version 6.7, as a temporary workaround, consider restricting access to the SEO - Meta description parameter in the Pages Menu component until a patch is available. Avoid using the `SEO - Meta description` parameter in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** opensolution Quick CMS version 6.7 **Description** A cross-site scripting (XSS) issue allows a local attacker to execute arbitrary code via a crafted script to the `Content - Name` parameter in the Pages Menu component. This enables the attacker to perform unauthorized actions on the system. **Recommendations** For opensolution Quick CMS version 6.7, as a temporary workaround, consider restricting access to the Pages Menu component until a patch is available. Avoid using the `Content - Name` parameter in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** opensolution Quick CMS version 6.7 **Description** A cross-site scripting (XSS) issue allows a local attacker to execute arbitrary code via a crafted script to the Languages Menu component. This enables the attacker to perform actions on the web application that they would not normally be allowed to do. **Recommendations** For opensolution Quick CMS version 6.7, consider disabling access to the Languages Menu component until a patch is available to prevent exploitation of the XSS vulnerability.

**Name of the Vulnerable Software and Affected Versions** evolution evo version 3.2.3 **Description** A cross-site scripting (XSS) issue allows a local attacker to execute arbitrary code via a crafted payload injected `uid` parameter. This enables the attacker to perform unauthorized actions on the system. **Recommendations** For evolution evo version 3.2.3, consider disabling the `uid` parameter in the affected API endpoint until a patch is available. Restrict access to the vulnerable component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** evolution version 3.2.3 **Description** A cross-site scripting (XSS) issue allows a local attacker to execute arbitrary code via a crafted payload injected into the `cmsadmin`, `cmsadminemail`, `cmspassword`, and `cmspasswordconfim` parameters. This enables the attacker to perform unauthorized actions on the system. **Recommendations** For evolution version 3.2.3, consider disabling the parameters `cmsadmin`, `cmsadminemail`, `cmspassword`, and `cmspasswordconfim` as a temporary workaround until a patch is available. Restrict access to these parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS version 9.2.1 **Description** The issue allows for Arbitrary File Upload via a Thumbnail file upload, which can lead to Cross-Site Scripting (XSS). This is possible even with the default configuration, where 'pdf' is one of the allowed file types, despite the vendor's stance that customers should exclude 'pdf' from allowed file types. **Recommendations** For Concrete CMS version 9.2.1, consider excluding 'pdf' from the allowed file types in the configuration to mitigate the risk of Arbitrary File Upload and subsequent Cross-Site Scripting (XSS) attacks. As a temporary workaround, restrict the use of the Thumbnail file upload feature until a proper fix is applied.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS versions prior to 9.2.3 **Description** A Cross Site Scripting (XSS) issue exists via the `SITE` parameter during installation or in the Settings, allowing an attacker to execute arbitrary code via a crafted script. **Recommendations** For versions prior to 9.2.3, update to version 9.2.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the installation and Settings pages to minimize the risk of exploitation. Avoid using the `SITE` parameter in the affected API endpoint until the issue is resolved.