Detefix

**Name of the Vulnerable Software and Affected Versions** PHPNews version 1.3.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `url`, `id`, `subject`, `username`, or `time` parameter in templates/link temp.php, potentially leading to cross-site scripting (XSS) attacks. **Recommendations** For PHPNews version 1.3.0, as a temporary workaround, consider restricting access to the templates/link temp.php file until a patch is available. Avoid using the parameters `url`, `id`, `subject`, `username`, or `time` in the affected template file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CuteNews version 1.3.6 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `result` parameter in the API endpoint. This could potentially lead to unauthorized actions on the affected system. **Recommendations** For CuteNews version 1.3.6, update to a newer version that contains a fix for this issue to prevent remote attackers from injecting arbitrary web script or HTML. As a temporary workaround, consider restricting access to the `result` parameter to minimize the risk of exploitation.