Ulisses Castro

**Name of the Vulnerable Software and Affected Versions** LiveZilla version 3.2.0.2 **Description** A cross-site scripting (XSS) issue exists in the lz tracking set sessid function, allowing remote attackers to inject arbitrary web script or HTML via the `livezilla` parameter in a track action to "server.php". **Recommendations** For LiveZilla version 3.2.0.2, consider disabling the `lz tracking set sessid` function until a patch is available. Restrict access to the "server.php" endpoint to minimize the risk of exploitation. Avoid using the `livezilla` parameter in the track action until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Radius Manager version 3.8.0 **Description** The issue allows remote authenticated administrators to inject arbitrary web script or HTML. This can be achieved via the `name` or `descr` parameter in an "update usergroup" or "store nas" action to "admin.php". **Recommendations** For Radius Manager version 3.8.0, consider restricting access to the "admin.php" endpoint until a patch is available, and avoid using the `name` and `descr` parameters in the "update usergroup" and "store nas" actions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.