Danhle5402

**Name of the Vulnerable Software and Affected Versions** NamelessMC version 2.2.4 **Description** A Reflected Cross-Site Scripting (XSS) issue exists where the application reflects user-supplied input into the HTML response without proper sanitization or output encoding. This occurs at the endpoint "/index.php?route=/queries/user/" via the `id` parameter. An attacker can craft a malicious URL containing JavaScript code that executes in the victim's browser, potentially leading to session hijacking, phishing attacks, or manipulation of page content. **Recommendations** Update to version 2.2.5. As a temporary workaround, avoid using the `id` parameter in the "/index.php?route=/queries/user/" endpoint until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Masa CMS versions prior to 7.2.10 Masa CMS versions prior to 7.3.15 Masa CMS versions prior to 7.4.10 Masa CMS versions prior to 7.5.3 **Description** Improper handling of scheme-relative URLs allows for an open redirect. The application incorrectly interprets paths starting with double slashes (//) as internal paths and fails to validate the redirect target before processing. This allows an attacker to craft a URL on the trusted domain that redirects users to an external site, which can be used for phishing or exposing tokens and sensitive data during authentication flows. **Recommendations** Update to version 7.2.10. Update to version 7.3.15. Update to version 7.4.10. Update to version 7.5.3. Reject or rewrite redirect parameters that begin with //. Disable `forceDirectoryStructure` if compatible with the deployment.