Fewword

Name of the Vulnerable Software and Affected Versions: LibreNMS versions prior to 25.5.0 Description: The issue is a Stored Cross-Site Scripting (XSS) vulnerability that affects the `group name` parameter of the "http://localhost/poller/groups" form. This allows attackers to inject malicious scripts into web pages viewed by other users. Recommendations: For versions prior to 25.5.0, update to version 25.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "http://localhost/poller/groups" form until the update is applied. Avoid using the `group name` parameter in the affected form until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Kanboard versions 1.2.26 through 1.2.44 **Description** The issue is a Stored Cross-Site Scripting (XSS) vulnerability in the `name` parameter of the "http://localhost/?controller=ProjectCreationController&action=create" form. This allows attackers to inject malicious scripts into web pages viewed by other users. The default content security policy (CSP) blocks the JavaScript attack, but it can be exploited if an instance is badly configured and the software is vulnerable to CSS injection due to the `unsafe-inline` directive in the default CSP. **Recommendations** For versions 1.2.26 through 1.2.44, update to version 1.2.45 or later to resolve the issue. As a temporary workaround, consider restricting access to the `http://localhost/?controller=ProjectCreationController&action=create` form until the update is applied. Additionally, review and adjust the content security policy (CSP) to prevent CSS injection by removing the `unsafe-inline` directive if possible.