Eugene Ermakov

**Name of the Vulnerable Software and Affected Versions** AbleSpace version 1.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to multiple cross-site scripting (XSS) vulnerabilities. This is possible via the `gid` parameter to "groups profile.php", `cat id` and `razd id` parameters to "adv cat.php", and the URL to "blogs full.php". **Recommendations** For AbleSpace version 1.0, as a temporary workaround, consider restricting access to the vulnerable parameters `gid`, `cat id`, and `razd id` in their respective scripts until a patch is available. Avoid using these parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** AbleSpace version 1.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the `eid` parameter to "events view.php" and the `id` parameter to "events clndr view.php". **Recommendations** For AbleSpace version 1.0, consider restricting access to the "events view.php" and "events clndr view.php" scripts until a patch is available. As a temporary workaround, avoid using the `eid` and `id` parameters in the affected API endpoints.