Harrison Daley

**Name of the Vulnerable Software and Affected Versions** Issuetrak version 17.1 **Description** A HTML Injection issue was identified that could be triggered by an authenticated user. HTML markup could be added to comments of tickets, which when submitted will render in the emails sent to all users on that ticket. **Recommendations** For Issuetrak version 17.1, consider restricting the ability to add HTML markup to comments until a fix is available. As a temporary workaround, consider validating and sanitizing user input in comments to prevent malicious HTML code from being executed. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Issuetrak version 17.1 **Description** A hidden field manipulation issue was identified that could be triggered by an authenticated user. When an authenticated user submits a ticket, the request can be intercepted and modified by using a proxy. The ticket requester can be changed from the original requester to another user in the same application, which the application then accepts. **Recommendations** For Issuetrak version 17.1, consider disabling the ticket submission feature until a patch is available to prevent exploitation of the hidden field manipulation issue. Restrict access to the proxy modification functionality to minimize the risk of interception and modification of ticket requests. Avoid using the ticket submission feature with untrusted or unverified users until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.