Frostnull

**Name of the Vulnerable Software and Affected Versions** Gila CMS versions prior to 1.11.6 **Description** The issue is related to reflected XSS, which occurs via the `id` parameter in the `admin/content/postcategory` endpoint. This parameter is mishandled when `g preview theme` is used. **Recommendations** For versions prior to 1.11.6, update to version 1.11.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the `admin/content/postcategory` endpoint until the update is applied. Avoid using the `id` parameter in this endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Gila CMS versions prior to 1.11.6 **Description** The issue allows for CSRF with resultant XSS via the "admin/themes" URI, potentially leading to the compromise of the admin account. **Recommendations** For versions prior to 1.11.6, update to version 1.11.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the "admin/themes" URI to minimize the risk of exploitation.