Athul S

**Name of the Vulnerable Software and Affected Versions** SeedDMS version 6.0.29 **Description** A Stored Cross-Site Scripting issue exists, allowing a user or rogue admin with the "Add Category" permission to inject a malicious payload into the category name field. When a document is associated with this category, the payload is stored on the server and rendered without proper sanitization, resulting in the payload executing in the browser of any user who views the document. **Recommendations** For SeedDMS version 6.0.29, as a temporary workaround, consider restricting the "Add Category" permission to trusted users until a patch is available. Additionally, avoid using the category name field for any potentially malicious input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FlatPress version 1.3.1 **Description** A stored Cross-Site Scripting issue was identified within the "Add Entry" feature, allowing authenticated attackers to inject malicious JavaScript payloads into blog posts. This is executed when other users view the posts due to improper input sanitization of the `TextArea` field in the blog entry submission form. **Recommendations** For FlatPress version 1.3.1, ensure proper input sanitization of the `TextArea` field in the blog entry submission form to prevent malicious JavaScript injections. As a temporary workaround, consider restricting access to the "Add Entry" feature until a fix is applied.