Alediben

**Name of the Vulnerable Software and Affected Versions** ThinkCMF version 6.0.7 **Description** The issue allows a Super Administrator user to be injected into administrative users due to a Cross Site Request Forgery (CSRF) vulnerability. **Recommendations** For ThinkCMF version 6.0.7, update to a version that includes a fix for this issue, as no specific workaround is provided in the available data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ThinkCMF version 6.0.7 **Description** The issue allows an attacker to inject a Persistent XSS payload in the Slideshow Management section, executing arbitrary JavaScript code on the client side. This could be used to steal the administrator's PHP session token, specifically the `PHPSESSID`. **Recommendations** For ThinkCMF version 6.0.7, consider disabling the Slideshow Management section until a patch is available to prevent the injection of malicious JavaScript code. Restrict access to this section to minimize the risk of exploitation. Avoid using the Slideshow Management feature until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.