B1Tm4R

**Name of the Vulnerable Software and Affected Versions** Code Astro Internet Banking System version 2.0.0 **Description** The issue concerns Cross Site Scripting (XSS) via the `name` parameter in the "/admin/pages account.php" API endpoint. This allows for potential malicious script injection. No information is provided about the estimated number of potentially affected devices worldwide or real-world incidents where this issue was exploited. **Recommendations** For Code Astro Internet Banking System version 2.0.0, avoid using the `name` parameter in the "/admin/pages account.php" API endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the "/admin/pages account.php" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Code Astro Internet Banking System version 2.0.0 **Description** A Remote Code Execution (RCE) vulnerability exists due to improper file upload validation in the `profile pic` parameter within `pages view client.php`. **Recommendations** Code Astro Internet Banking System version 2.0.0: Address the improper file upload validation in the `profile pic` parameter within the `pages view client.php` file.

**Name of the Vulnerable Software and Affected Versions** Code Astro Internet Banking System version 2.0.0 **Description** A Stored Cross-Site Scripting (XSS) issue exists in the `name` parameter of `pages add acc type.php` in the Code Astro Internet Banking System. This allows for malicious script execution. **Recommendations** For Code Astro Internet Banking System version 2.0.0, consider disabling the `pages add acc type.php` page or restricting access to it until a patch is available. Additionally, avoid using the `name` parameter in the affected page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.