0X4M3R

**Name of the Vulnerable Software and Affected Versions** BoidCMS versions prior to 2.1.2 **Description** A reflected Cross-site Scripting (XSS) issue exists in the "admin?page=media" endpoint, specifically in the `file` parameter, allowing an attacker to inject arbitrary JavaScript code. This could lead to stealing the user's session cookie, performing phishing attacks, or defacing the website. **Recommendations** For versions prior to 2.1.2, upgrade to version 2.1.2 to resolve the issue. As a temporary workaround, consider restricting access to the "/admin?page=media" endpoint to minimize the risk of exploitation. Avoid using the `file` parameter in the affected endpoint until the issue is resolved.