Ezequiel

**Name of the Vulnerable Software and Affected Versions** ScadaBR versions 1.0CE through 1.1.0-RC **Description** The issue is related to a request for a nonexistent resource. It can be exploited via the "dwr/test/" PATH INFO, allowing for XSS attacks. **Recommendations** For ScadaBR versions 1.0CE through 1.1.0-RC, as a temporary workaround, consider restricting access to the "dwr/test/" PATH INFO to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zenitel Norway IP-StationWeb versions prior to 4.2.3.9 **Description** The issue allows for stored XSS via the Display Name for Station Status or Account Settings, related to the `goform/zForm save changes` `sip nick` parameter. In some cases, the password of `alphaadmin` for the admin account may be used for authentication. **Recommendations** For versions prior to 4.2.3.9, update to version 4.2.3.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `goform/zForm save changes` endpoint and avoiding the use of the `sip nick` parameter until the issue is resolved.