Sqlsec

**Name of the Vulnerable Software and Affected Versions** EasyCMS version 1.4 **Description** The issue concerns the removeXSS function in EasyCMS, which is vulnerable to XSS attacks via an onhashchange event. This is due to the function's inadequate handling of certain events, allowing malicious scripts to be executed. **Recommendations** For EasyCMS version 1.4, consider modifying the removeXSS function in App/Common/common.php to properly handle onhashchange events and prevent XSS attacks. As a temporary workaround, consider disabling the removeXSS function until a patch is available. Restrict access to the SearchAction.class.php module to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Catfish CMS version 4.7.9 **Description** The issue allows for XSS via the `editorValue` parameter in the "admin/Index/write.html" endpoint. This occurs when an article is posted by an administrator. **Recommendations** For Catfish CMS version 4.7.9, avoid using the `editorValue` parameter in the "admin/Index/write.html" endpoint until the issue is resolved. As a temporary workaround, consider restricting access to this endpoint to minimize the risk of exploitation.