Henry Hoggard

**Name of the Vulnerable Software and Affected Versions** Vanilla Forums LatestComment plugin version 1.1 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the discussion title. This could potentially lead to unauthorized actions on the affected forum. **Recommendations** For Vanilla Forums LatestComment plugin version 1.1, consider disabling the plugin until a patch is available to prevent exploitation. Restrict access to the discussion title feature to minimize the risk of XSS attacks.

**Name of the Vulnerable Software and Affected Versions** FirstLastNames plugin version 1.1.1 for Vanilla Forums **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `User/FirstName` or `User/LastName` parameter to the edit user page, potentially leading to cross-site scripting (XSS) attacks. **Recommendations** For FirstLastNames plugin version 1.1.1, consider restricting access to the edit user page or validating and sanitizing the `User/FirstName` and `User/LastName` parameters to prevent arbitrary web script or HTML injection until a patch is available.

**Name of the Vulnerable Software and Affected Versions** AboutMe plugin version 1.1.1 for Vanilla Forums **Description** The issue allows remote attackers to inject arbitrary web script or HTML via multiple parameters to the Edit My Details page, including `AboutMe/RealName`, `AboutMe/Name`, `AboutMe/Quote`, `AboutMe/Loc`, `AboutMe/Emp`, `AboutMe/JobTit`, `AboutMe/HS`, `AboutMe/Col`, `AboutMe/Bio`, `AboutMe/Inter`, `AboutMe/Mus`, `AboutMe/Gam`, `AboutMe/Mov`, `AboutMe/FTV`, or `AboutMe/Bks`. **Recommendations** As a temporary workaround, consider restricting access to the Edit My Details page until a patch is available. Avoid using the parameters `AboutMe/RealName`, `AboutMe/Name`, `AboutMe/Quote`, `AboutMe/Loc`, `AboutMe/Emp`, `AboutMe/JobTit`, `AboutMe/HS`, `AboutMe/Col`, `AboutMe/Bio`, `AboutMe/Inter`, `AboutMe/Mus`, `AboutMe/Gam`, `AboutMe/Mov`, `AboutMe/FTV`, or `AboutMe/Bks` in the affected page until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.