Avinash Shenoi

**Name of the Vulnerable Software and Affected Versions** Roller WebLogger version 2.3 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via certain parameters, including the `name`, `email`, and `url` parameters, as well as the `q` parameter in the "sitesearch.do" endpoint. Additionally, certain content parameters in the preview method are also vulnerable. **Recommendations** For Roller WebLogger version 2.3, consider restricting access to the vulnerable parameters, such as `name`, `email`, `url`, and `q`, until a patch is available. As a temporary workaround, avoid using the vulnerable content parameters in the preview method.

**Name of the Vulnerable Software and Affected Versions** Blojsom versions 2.31 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via specific parameters in a blog post, including the `blog-category-description`, `blog-entry-title`, `rss-enclosure-url`, `technorati-tagsi`, or `blog-category-name` parameter. **Recommendations** For Blojsom version 2.31, avoid using the parameters `blog-category-description`, `blog-entry-title`, `rss-enclosure-url`, `technorati-tagsi`, or `blog-category-name` in blog posts until a fix is available. Consider restricting access to these parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.