Georgios Roumeliotis

**Name of the Vulnerable Software and Affected Versions** Wagtail CMS version 6.4.1 **Description** The issue is related to a Stored Cross-Site Scripting (XSS) in the document upload functionality. Attackers can inject malicious code inside a PDF file. When a user clicks the document in the CMS interface, the payload executes. **Recommendations** For Wagtail CMS version 6.4.1, as a temporary workaround, consider restricting the upload of PDF files or disabling the document upload functionality until a patch is available. Avoid using the affected document upload feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LedgerSMB versions prior to 1.10.30 LedgerSMB versions prior to 1.11.9 **Description** LedgerSMB is a free web-based double-entry accounting system. When a LedgerSMB database administrator has an active session in "/setup.pl", an attacker can trick the admin into clicking on a link which automatically submits a request to "/setup.pl" without the admin's consent. This request can be used to create a new user account with full application ("/login.pl") privileges, leading to privilege escalation. **Recommendations** For versions prior to 1.10.30, update to version 1.10.30 or later. For versions prior to 1.11.9, update to version 1.11.9 or later. As a temporary workaround, consider restricting access to the "/setup.pl" endpoint to minimize the risk of exploitation.