Dalii

**Name of the Vulnerable Software and Affected Versions** ApolloTheme AP PageBuilder versions through 2.4.4 **Description** A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `show number` parameter. **Recommendations** For ApolloTheme AP PageBuilder versions through 2.4.4, consider restricting access to the `show number` parameter to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NdkAdvancedCustomizationFields version 3.5.0 **Description** A cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via crafted payloads injected into the `htmlNodes` parameter. This enables attackers to potentially manipulate web page content or steal user data. **Recommendations** For NdkAdvancedCustomizationFields version 3.5.0, consider disabling the use of the `htmlNodes` parameter until a patch is available to prevent exploitation. Restrict access to areas of the application where this parameter is used to minimize the risk of XSS attacks.

**Name of the Vulnerable Software and Affected Versions** ndk design NdkAdvancedCustomizationFields version 3.5.0 **Description** The issue is related to Server-side request forgery (SSRF) via the rotateimg.php file. This allows for potential unauthorized access to internal resources. **Recommendations** For ndk design NdkAdvancedCustomizationFields version 3.5.0, consider restricting access to the rotateimg.php file as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** NdkAdvancedCustomizationFields version 3.5.0 **Description** The issue concerns a Cross Site Scripting (XSS) problem. It can be exploited via the createPdf.php endpoint. **Recommendations** For version 3.5.0, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the createPdf.php endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** NdkAdvancedCustomizationFields version 3.5.0 **Description** A SQL injection issue in the `height` and `width` parameters allows unauthenticated attackers to exfiltrate database data. **Recommendations** For NdkAdvancedCustomizationFields version 3.5.0, avoid using the `height` and `width` parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.