Brian Lowe

**Name of the Vulnerable Software and Affected Versions** Gibbon version 22 **Description** A reflected XSS issue exists in multiple pages of the Gibbon application, allowing for arbitrary execution of JavaScript. This is achieved by manipulating parameters such as `gibbonCourseClassID`, `gibbonPersonID`, `subpage`, `currentDate`, or `allStudents` in the `index.php` page. **Recommendations** For version 22, consider disabling the execution of JavaScript in the affected pages as a temporary workaround until a patch is available. Restrict access to the `index.php` page to minimize the risk of exploitation. Avoid using the parameters `gibbonCourseClassID`, `gibbonPersonID`, `subpage`, `currentDate`, or `allStudents` in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** openSIS version 8.0 **Description** A SQL injection issue exists due to inadequate protection of the SQL query structure. This allows a remote attacker to execute arbitrary SQL commands using the `USERNAME` parameter in the "index.php" endpoint. The issue may be related to an incomplete fix for a previous problem. **Recommendations** For openSIS version 8.0, consider restricting access to the `USERNAME` parameter in the "index.php" endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.