Dtmp3St

**Name of the Vulnerable Software and Affected Versions** Ellevo version 6.2.0.38160 **Description** A reflected cross-site scripting (XSS) vulnerability allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload or URL. This issue enables attackers to execute any code in a user's browser. **Recommendations** For Ellevo version 6.2.0.38160, as a temporary workaround, consider restricting access to potentially vulnerable API endpoints or URLs that could be used to deliver a crafted payload until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ellevo version 6.2.0.38160 **Description** An issue in Ellevo allows a remote attacker to escalate privileges via the "/api/usuario/cadastrodesuplente" endpoint. This could lead to unauthorized access. **Recommendations** For Ellevo version 6.2.0.38160, patch immediately and review access controls to mitigate the risk of privilege escalation. As a temporary workaround, consider restricting access to the "/api/usuario/cadastrodesuplente" endpoint until a patch is available.