Hadi Kiamarsi

**Name of the Vulnerable Software and Affected Versions** Rumba XML version 1.8 **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via the PATH INFO in index.php. **Recommendations** For Rumba XML version 1.8, update the index.php file to properly sanitize the PATH INFO input to prevent arbitrary web script or HTML injection. As a temporary workaround, consider restricting access to the index.php file until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Softpedia SiteXS CMS version 0.1.1 Pre-Alpha **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `user` parameter in the index.php file. **Recommendations** For Softpedia SiteXS CMS version 0.1.1 Pre-Alpha, consider restricting access to the index.php file until a patch is available, and avoid using the `user` parameter in the affected endpoint.

**Name of the Vulnerable Software and Affected Versions** Chilek Content Management System (aka ChiCoMaS) version 2.0.4 **Description** The issue allows remote attackers to execute arbitrary PHP code via a URL in the `lang` parameter to the default URI under install/. This can also be leveraged to include and execute arbitrary local files via directory traversal sequences. **Recommendations** For Chilek Content Management System (aka ChiCoMaS) version 2.0.4, consider restricting access to the install/ directory and validating the `lang` parameter to prevent directory traversal sequences until a patch is available. Avoid using the `lang` parameter in the affected API endpoint until the issue is resolved.