Carlos Ramã­Rez L

**Name of the Vulnerable Software and Affected Versions** i-doit versions prior to 1.16.0 **Description** The issue allows remote authenticated attackers to inject arbitrary web script or HTML via vulnerable parameters: `C MONITORING CONFIG TITLE`, `SM2 C MONITORING CONFIG TITLE`, `C MONITORING CONFIG PATH`, `SM2 C MONITORING CONFIG PATH`, `C MONITORING CONFIG ADDRESS`, or `SM2 C MONITORING CONFIG ADDRESS`. This is a Stored Cross-Site Scripting (XSS) issue. **Recommendations** For versions prior to 1.16.0, update to version 1.16.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the parameters `C MONITORING CONFIG TITLE`, `SM2 C MONITORING CONFIG TITLE`, `C MONITORING CONFIG PATH`, `SM2 C MONITORING CONFIG PATH`, `C MONITORING CONFIG ADDRESS`, and `SM2 C MONITORING CONFIG ADDRESS` to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** i-doit version 1.14.2 **Description** A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via certain parameters, including `viewMode`, `tvMode`, `tvType`, `objID`, `catgID`, `objTypeID`, or `editMode`. **Recommendations** For i-doit version 1.14.2, avoid using the parameters `viewMode`, `tvMode`, `tvType`, `objID`, `catgID`, `objTypeID`, or `editMode` in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** i-doit version 1.14.2 **Description** A CSV injection issue allows an attacker to execute arbitrary commands via a `Title` parameter that is mishandled in a CSV export. **Recommendations** For i-doit version 1.14.2, consider restricting the use of the `Title` parameter in CSV exports until a patch is available. As a temporary workaround, avoid using the `Title` parameter in CSV exports to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** phpList versions prior to 3.5.4 **Description** The issue allows for XSS attacks via the "/lists/admin/user.php" and "/lists/admin/users.php" API endpoints. This can potentially lead to malicious script execution. **Recommendations** For versions prior to 3.5.4, update to version 3.5.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/lists/admin/user.php" and "/lists/admin/users.php" endpoints until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Katyshop2 versions prior to 2.12 **Description** The issue concerns multiple stored XSS problems. **Recommendations** For versions prior to 2.12, update to version 2.12 or later to resolve the issue.