Gil Correia

**Name of the Vulnerable Software and Affected Versions** Flipsnack version 18/03/2024 **Description** An issue in Flipsnack allows a local attacker to obtain sensitive information via the `reader.gz.js` file. **Recommendations** For Flipsnack version 18/03/2024, consider restricting access to the `reader.gz.js` file as a temporary workaround until a patch is available.

**Name of the Vulnerable Software and Affected Versions** CrafterCMS versions 3.1.0 through 3.1.26 CrafterCMS versions 4.0.0 through 4.0.1 **Description** The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for SQL Injection attacks. The vulnerability affects Crafter Studio on various operating systems and architectures. **Recommendations** For CrafterCMS versions 3.1.0 through 3.1.26, update to a version outside of this range to resolve the issue. For CrafterCMS versions 4.0.0 through 4.0.1, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to sensitive SQL commands to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Craft CMS version 4.2.0.1 **Description** The issue is related to Cross Site Scripting (XSS) in the file src/web/assets/cp/src/js/BaseElementSelectInput.js, specifically on the line `label: elementInfo.label`. This suggests a potential problem with how user input is handled, allowing for malicious scripts to be injected into the website. **Recommendations** For Craft CMS version 4.2.0.1, consider disabling the `BaseElementSelectInput.js` file or restricting access to it until a patch is available. Additionally, avoid using the `label` variable in the affected API endpoint or function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Craft CMS versions 3.70-RC1 through 3.7.55.1 Craft CMS versions 4.0.0-RC1 through 4.2.0.1 **Description** The issue is related to Cross Site Scripting (XSS) and can be exploited via entry revisions and drafts. **Recommendations** For Craft CMS versions 3.70-RC1 through 3.7.55.1, update to version 3.7.55.2 to resolve the issue. For Craft CMS versions 4.0.0-RC1 through 4.2.0.1, update to version 4.2.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Craft CMS version 4.2.0.1 **Description** The issue is related to Stored Cross Site Scripting (XSS) in the "/admin/myaccount" API endpoint. This allows for malicious scripts to be stored and executed on the platform. **Recommendations** For Craft CMS version 4.2.0.1, as a temporary workaround, consider restricting access to the "/admin/myaccount" endpoint until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Craft CMS version 4.2.0.1 **Description** The issue is related to a stored cross-site scripting (XSS) vulnerability. This occurs via the /admin/settings/fields page, allowing potential attackers to inject malicious scripts. Cross-site scripting (XSS) is a type of security vulnerability that can be used by attackers to steal user sessions, deface websites, or redirect users to malicious sites. **Recommendations** For Craft CMS version 4.2.0.1, as a temporary workaround, consider restricting access to the /admin/settings/fields page until a patch is available. Additionally, avoid using any potentially vulnerable fields in the settings page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Craft CMS version 4.2.0.1 **Description** The issue is related to Cross Site Scripting (XSS) via the file `src/helpers/Cp.php`. This allows for potential malicious script execution. **Recommendations** For Craft CMS version 4.2.0.1, consider restricting access to the `src/helpers/Cp.php` file until a patch is available. As a temporary workaround, avoid using any functionality that relies on this file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.