3As0No

**Name of the Vulnerable Software and Affected Versions** gopeak masterlab version 2.1.5 **Description** A server-side request forgery (SSRF) issue exists due to the `source` parameter in Upgrade.php. This allows for potential unauthorized access to internal resources. **Recommendations** For gopeak masterlab version 2.1.5, consider restricting access to the `source` parameter in Upgrade.php to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bludit version 3.12.0 **Description** The issue allows stored XSS via JavaScript code in an SVG document to the "bl-kernel/ajax/logo-upload.php" API endpoint. This enables potential attackers to inject malicious scripts into the application. **Recommendations** For Bludit version 3.12.0, as a temporary workaround, consider restricting access to the "bl-kernel/ajax/logo-upload.php" API endpoint until a patch is available. Avoid using this endpoint with SVG documents containing JavaScript code to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.