Bogdan Tiron

**Name of the Vulnerable Software and Affected Versions** Kaspersky Security 8.0 for Linux Mail Server **Description** The issue allows an attacker to potentially force an administrator to click on a malicious link to perform unauthorized actions. This is due to the lack of measures to neutralize special elements, which can be exploited by a remote attacker. **Recommendations** For Kaspersky Security 8.0 for Linux Mail Server, consider disabling any functionality that may lead to administrators clicking on malicious links until a patch is available. Restrict access to potentially vulnerable components to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Concrete CMS (previously concrete5) versions 8.5.12 and below Concrete CMS (previously concrete5) versions 9.0 through 9.1.3 **Description** The issue is related to Reflected XSS on the Reply form because the `msgID` was not sanitized. This allows for potential exploitation. **Recommendations** For versions 8.5.12 and below, update to version 9.2 or later. For versions 9.0 through 9.1.3, update to version 9.2 or later. As a temporary workaround, consider restricting access to the Reply form until a patch is available. Avoid using the `msgID` parameter in the affected Reply form endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Concrete versions 8.5.7 and below Concrete versions 9.0 through 9.0.2 **Description** The issue is related to insufficient sanitation where built URLs are outputted, which can be exploited for XSS attacks when using an older browser with built-in XSS protection disabled. This cannot be exploited in modern-day web browsers due to an automatic input escape mechanism. The API endpoint "/dashboard/blocks/stacks/view details/" is affected. **Recommendations** For Concrete versions 8.5.7 and below, update to a version above 8.5.7 to resolve the issue. For Concrete versions 9.0 through 9.0.2, update to a version above 9.0.2 to resolve the issue. As a temporary workaround, consider disabling the use of the "/dashboard/blocks/stacks/view details/" endpoint in older browsers until a patch is available.