David Aaron

**Name of the Vulnerable Software and Affected Versions** Bitweaver versions 2.8.1 and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the path info to certain API endpoints such as "stats/index.php" or "newsletters/edition.php", or by manipulating specific parameters like the `username` parameter to "users/remind password.php", the `days` parameter to "stats/index.php", the `login` parameter to "users/register.php", or the `highlight` parameter. **Recommendations** For Bitweaver versions 2.8.1 and earlier, consider disabling access to the vulnerable API endpoints "stats/index.php", "newsletters/edition.php", "users/remind password.php", and "users/register.php" until a patch is available. Additionally, restrict the use of the `username`, `days`, `login`, and `highlight` parameters in the respective scripts to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.