Stephane Bortzmeyer

**Name of the Vulnerable Software and Affected Versions** ZoneCheck version 2.1.0 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The injection vectors are related to `xmlnode.value`, `zc-error` text, `$zc version`, and `domainname` in a `zc-title` row. **Recommendations** For ZoneCheck version 2.1.0, consider disabling the `xmlnode.value`, `zc-error` text, `$zc version`, and `domainname` in a `zc-title` row functionality until a patch is available to prevent exploitation. Restrict access to sensitive areas of the application to minimize the risk of XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ZoneCheck versions 2.0.4 through 2.1.0 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `ns` parameter to the "zc.cgi" endpoint. **Recommendations** For ZoneCheck versions 2.0.4 through 2.1.0, consider restricting access to the `zc.cgi` endpoint until a patch is available. As a temporary workaround, avoid using the `ns` parameter in the affected endpoint to minimize the risk of exploitation.