Whitebearvn

**Name of the Vulnerable Software and Affected Versions** Temenos CWX version 8.5.6 **Description** The issue is related to an access control problem in the Registration.aspx file, allowing authenticated attackers to escalate privileges and execute arbitrary administrative commands. **Recommendations** For Temenos CWX version 8.5.6, consider restricting access to the Registration.aspx file until a patch is available. As a temporary workaround, limit the privileges of authenticated users to prevent them from performing administrative commands.

**Name of the Vulnerable Software and Affected Versions** Termenos CWX version 8.5.6 **Description** The issue concerns broken access control in the Registration page, specifically at the "/Registration.aspx" endpoint, allowing attackers to access sensitive information. **Recommendations** For Termenos CWX version 8.5.6, consider restricting access to the "/Registration.aspx" endpoint until a fix is available. As a temporary workaround, review and strengthen access controls to sensitive information to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Craft versions prior to 4.4.6 **Description** The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. An older issue fixed the XSS in label HTML but did not address it when clicking save. **Recommendations** For versions prior to 4.4.6, update to version 4.4.6 to resolve the issue. As a temporary workaround, consider avoiding the use of the Quick Post feature until the update is applied. Restrict access to the admin dashboard and limit the ability to create or edit sections and entries to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Craft versions prior to 4.4.6 **Description** A malformed RSS feed can deliver an XSS payload. The issue can be triggered by the title in the `<item>` tag of an RSS feed. For example, creating an RSS widget and adding a malicious RSS feed can lead to the execution of the XSS payload. **Recommendations** For versions prior to 4.4.6, update to version 4.4.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of RSS widgets or validating RSS feed sources to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Craft versions prior to 4.4.7 **Description** Cross-site scripting (XSS) can be triggered by review volumes. The issue is related to the `index.php?p=admin/actions/asset-indexes/process-indexing-session` function, where the `skippedEntries` and `missingEntries` parameters are not properly filtered. This allows an attacker to inject malicious scripts, such as `<script>alert(1337)</script>`, into the assets name, which can be triggered when clicking the review button. **Recommendations** For versions prior to 4.4.7, update to version 4.4.7 to resolve the issue. As a temporary workaround, consider restricting access to the `index.php?p=admin/actions/asset-indexes/process-indexing-session` endpoint until the update is applied. Additionally, avoid using the `skippedEntries` and `missingEntries` parameters in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Craft versions prior to 4.4.6 **Description** Cross-site scripting (XSS) can be triggered via the Update Asset Index utility. This issue allows an attacker to inject malicious scripts, potentially leading to unauthorized access or data theft. The vulnerability is exploited by injecting a payload into the asset name, which is then triggered when the Update Asset Indexes utility is used. The JSON response from the volumes name can also trigger the payload on every POST request in the utility. **Recommendations** For versions prior to 4.4.6, update to version 4.4.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the Update Asset Index utility until the update can be applied. Avoid using the utility with untrusted input to minimize the risk of exploitation.