Florian Lienhart

**Name of the Vulnerable Software and Affected Versions** SIS SIS-REWE Go versions prior to 7.7 SP17 **Description** The issue allows for XSS attacks. It affects the 'rewe/prod/web/index.php' endpoint, with vulnerable parameters being `config`, `version`, `win`, `db`, `pwd`, and `user`. Additionally, the '/rewe/prod/web/rewe go check.php' endpoint is affected, with `version` and all other parameters being vulnerable. **Recommendations** For versions prior to 7.7 SP17, update to version 7.7 SP17 or later to resolve the issue. As a temporary workaround, consider restricting access to the 'rewe/prod/web/index.php' and '/rewe/prod/web/rewe go check.php' endpoints until the update is applied. Avoid using the vulnerable parameters `config`, `version`, `win`, `db`, `pwd`, and `user` in the 'rewe/prod/web/index.php' endpoint and the `version` parameter in the '/rewe/prod/web/rewe go check.php' endpoint until the issue is resolved.