Chb9

**Name of the Vulnerable Software and Affected Versions** Shaarli version 0.9.1 **Description** The issue allows an unauthenticated attacker to inject JavaScript via the `searchtags` parameter to "index.php". If the victim is an administrator, an attacker can take over the admin session, change global settings, or add/delete links. It is also possible to execute JavaScript against unauthenticated users. **Recommendations** For Shaarli version 0.9.1, consider restricting access to the "index.php" endpoint or avoiding the use of the `searchtags` parameter until a fix is available. As a temporary workaround, restrict the ability to inject JavaScript code to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** BlogoText versions prior to 3.7.6 **Description** The issue allows an unauthenticated attacker to inject JavaScript via a comment in the inc/conv.php file. If the victim is an administrator, the attacker can change global settings or create/delete posts. It is also possible to execute JavaScript against unauthenticated users of the blog. **Recommendations** For versions prior to 3.7.6, update to version 3.7.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the inc/conv.php file or disabling comments until a patch is available.