Crownztx

**Name of the Vulnerable Software and Affected Versions** Ampache versions prior to 6.3.1 **Description** A stored Cross Site Scripting (XSS) issue allows a remote attacker to execute code via a crafted payload to several parameters in the post request of "/preferences.php?action=admin update preferences". **Recommendations** For versions prior to 6.3.1, update to version 6.3.1 to resolve the issue. As a temporary workaround, consider restricting access to the "/preferences.php?action=admin update preferences" endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ImpressCMS versions 1.4.5 and earlier **Description** A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `smile code` parameter of the component "/editprofile.php". This enables attackers to potentially manipulate user sessions or steal sensitive information. **Recommendations** For ImpressCMS versions 1.4.5 and earlier, as a temporary workaround, consider restricting access to the "/editprofile.php" component until a patch is available. Avoid using the `smile code` parameter in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Geeklog version 2.2.2 **Description** The issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Mail Settings[backend]`, `Mail Settings[host]`, `Mail Settings[port]`, and `Mail Settings[auth]` parameters of the "/admin/configuration.php" API endpoint. **Recommendations** For Geeklog version 2.2.2, update to a version that fixes the cross-site scripting vulnerabilities. As a temporary workaround, consider restricting access to the "/admin/configuration.php" API endpoint to minimize the risk of exploitation. Avoid using the `Mail Settings[backend]`, `Mail Settings[host]`, `Mail Settings[port]`, and `Mail Settings[auth]` parameters in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Geeklog version 2.2.2 **Description** The issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Rule` and `Route` parameters of "/admin/router.php" API endpoint. This enables the execution of malicious code on the web application. **Recommendations** For Geeklog version 2.2.2, consider disabling access to the "/admin/router.php" API endpoint until a patch is available, and restrict the use of the `Rule` and `Route` parameters to minimize the risk of exploitation.