Devilauron

**Name of the Vulnerable Software and Affected Versions** VigileCMS version 1.4 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `message` field in the `(1) vedipm` or `(2) live chat` module. **Recommendations** For VigileCMS version 1.4, consider disabling the `vedipm` and `live chat` modules until a patch is available to prevent exploitation of the XSS vulnerabilities. Restrict access to the `message` field in these modules to minimize the risk of arbitrary web script or HTML injection.

**Name of the Vulnerable Software and Affected Versions** VigileCMS version 1.4 **Description** A directory traversal issue in index.php allows remote attackers to include and execute arbitrary local files by using directory traversal sequences in the `module` parameter. **Recommendations** For VigileCMS version 1.4, consider restricting access to the `module` parameter in the index.php file to minimize the risk of exploitation. Avoid using the `module` parameter with untrusted input until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** VigileCMS version 1.4 **Description** A cross-site request forgery issue exists, allowing remote attackers to modify the admin password by manipulating certain parameters to the changepass module in index.php. **Recommendations** For VigileCMS version 1.4, consider disabling access to the changepass module in index.php until a fix is available to prevent unauthorized password changes.