Benjamin Lee

**Name of the Vulnerable Software and Affected Versions** Quali CloudShell versions prior to 8 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML via several parameters, including `Name` and `Description` to various API endpoints such as "/RM/Reservation/ReserveNew", "/RM/Topology/Update", "/SnQ/JobTemplate/Edit", and "/RM/AbstractTemplate/AddOrUpdateAbstractTemplate". The vulnerable parameters also include `ExecutionBatches[0].Name`, `ExecutionBatches[0].Description`, `Labels`, `Alias`. **Recommendations** For Quali CloudShell versions prior to 8, update to version 8 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available. Avoid using the vulnerable parameters in the affected endpoints until the issue is resolved.