Daniel Puente

**Name of the Vulnerable Software and Affected Versions** Enhavo version 0.13.1 **Description** The issue is related to an HTML injection vulnerability in the Author text field under the Blockquote module. This allows attackers to execute arbitrary code via a crafted payload. **Recommendations** For Enhavo version 0.13.1, consider disabling the Author text field under the Blockquote module as a temporary workaround until a patch is available. Restrict access to this module to minimize the risk of exploitation. Avoid using the Author text field in the Blockquote module until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Enhavo CMS version 0.13.1 **Description** A cross-site scripting (XSS) issue in the New/Edit Article module allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Create Tag` text field. **Recommendations** For Enhavo CMS version 0.13.1, consider disabling the New/Edit Article module or restricting access to the Create Tag text field until a patch is available. As a temporary workaround, avoid using the Create Tag text field in the New/Edit Article module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Enhavo CMS version 0.13.1 **Description** A cross-site scripting (XSS) issue in the Header module allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Undertitle` text field. This enables attackers to potentially manipulate the website's behavior or steal user data. **Recommendations** For Enhavo CMS version 0.13.1, consider disabling the Header module or restricting access to the Undertitle text field until a patch is available. As a temporary workaround, avoid using the Undertitle text field in the Header module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Enhavo CMS version 0.13.1 **Description** A cross-site scripting (XSS) issue in the Header module allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Title` text field. **Recommendations** For Enhavo CMS version 0.13.1, consider disabling the Header module until a patch is available to prevent exploitation. Restrict access to the Title text field in the Header module to minimize the risk of arbitrary script execution.

**Name of the Vulnerable Software and Affected Versions** Subrion version 4.2.1 **Description** A Cross-site scripting (XSS) vulnerability in the Reference ID from the panel Transactions of Subrion allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Reference ID` parameter. This issue enables attackers to potentially manipulate the web application's behavior. **Recommendations** For Subrion version 4.2.1, as a temporary workaround, consider restricting access to the `Reference ID` parameter in the Transactions panel until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.