Wenming Jiang

Name of the Vulnerable Software and Affected Versions: Frog CMS version 0.9.5 Description: The issue is related to a stored Cross Site Scripting vulnerability. It can be triggered via the `Admin Site title` in the Settings section. Recommendations: For Frog CMS version 0.9.5, update to a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Monstra CMS version 3.0.4 Description: The issue is related to a stored XSS vulnerability. When an attacker has access to the editor role, they can enter a malicious payload in the content section of a new page in the blog catalog. Recommendations: For Monstra CMS version 3.0.4, update to a version that includes a fix for this issue, as using the editor role with the current version poses a risk of stored XSS attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Monstra CMS version 3.0.4 **Description** The issue allows remote attackers to delete files. This can be achieved by sending a request to the "admin/index.php" endpoint with specific parameters, including `id` set to "filesmanager", `delete dir` set to "./", and `path` set to "uploads/". **Recommendations** For Monstra CMS version 3.0.4, as a temporary workaround, consider restricting access to the "admin/index.php" endpoint, specifically the file manager functionality, until a patch is available. Avoid using the `delete dir` and `path` parameters in the affected endpoint until the issue is resolved.