Bigbluewhale111

**Name of the Vulnerable Software and Affected Versions** Plunk versions prior to 0.9.0 **Description** A stored cross-site scripting (XSS) issue exists in the campaign management feature. Authenticated project members can embed malicious scripts in a campaign's email body, which are stored and subsequently rendered in the admin dashboard using React's `dangerouslySetInnerHTML` without HTML sanitization. This allows a lower-privileged member to execute scripts in the context of an admin or other member viewing the campaign, potentially leading to session hijacking or unauthorized actions. **Recommendations** Update to version 0.9.0.

**Name of the Vulnerable Software and Affected Versions** Plunk versions prior to 0.9.0 **Description** The '/webhooks/sns' endpoint accepts Amazon SNS notification payloads from unauthenticated requests without verifying the SNS signature, certificate, or topic ARN. This allows an unauthenticated attacker to forge webhook requests and spoof SNS events to trigger workflow automations, unsubscribe contacts, manipulate email delivery metrics, and potentially exhaust billing credits. **Recommendations** Update to version 0.9.0. As a temporary workaround, restrict access to the '/webhooks/sns' endpoint to minimize the risk of exploitation.