Hieuminhnv

**Name of the Vulnerable Software and Affected Versions** Zenario CMS version 9.3.57186 **Description** The issue is related to Cross Site Scripting (XSS) via the Nest library module. **Recommendations** For Zenario CMS version 9.3.57186, consider disabling the Nest library module as a temporary workaround until a patch is available. Restrict access to the module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zenario CMS version 9.3.57186 **Description** The issue is related to Cross Site Scripting (XSS) via News articles. This means that an attacker could potentially inject malicious scripts into news articles, which could then be executed by users' browsers, leading to unauthorized actions or data theft. **Recommendations** For Zenario CMS version 9.3.57186, consider disabling the News article feature until a patch is available to prevent potential XSS attacks. Restrict access to editing News articles to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zenario CMS version 9.3.57186 **Description** The issue is related to Cross Site Scripting (XSS) and can be exploited via a user's profile. **Recommendations** For Zenario CMS version 9.3.57186, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Zenario CMS version 9.3.57186 **Description** The issue is related to Cross Site Scripting (XSS) via svg in the Users & Contacts section. **Recommendations** For Zenario CMS version 9.3.57186, consider disabling the svg functionality in the Users & Contacts section until a patch is available. Restrict access to the Users & Contacts module to minimize the risk of exploitation. Avoid using the svg feature in the affected area until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Zenario CMS version 9.0.54156 **Description** The issue allows for Cross Site Scripting (XSS) via the upload of malicious files with an *.SVG extension. An attacker can exploit this by sending these malicious files to victims, potentially stealing their cookies and leading to account takeover. The person viewing the image of a contact can be a victim of XSS. **Recommendations** For Zenario CMS version 9.0.54156, consider disabling the upload of *.SVG files until a patch is available to prevent the exploitation of this issue. Restrict access to the image viewing feature for contacts to minimize the risk of exploitation. Avoid using the feature that allows the upload of files, especially *.SVG files, in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Zenario CMS version 9.0.54156 **Description** The issue allows an attacker to compromise the web server by uploading and executing a web-shell, which can be used to run commands, browse system files, browse local resources, attack other servers, and exploit local vulnerabilities. **Recommendations** For Zenario CMS version 9.0.54156, consider restricting file upload capabilities to prevent the execution of malicious scripts until a fix is available. As a temporary workaround, monitor file uploads closely and restrict access to sensitive system files and resources.