Hu3Sky

**Name of the Vulnerable Software and Affected Versions** Hoosk version 1.7.0 **Description** The issue allows PHP code execution via a SiteUrl that is provided during installation and mishandled in config.php. **Recommendations** For Hoosk version 1.7.0, update to a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Hoosk version 1.7.0 **Description** The issue allows for XSS via the Navigation Title of a new page entered at "admin/pages/new". **Recommendations** For Hoosk version 1.7.0, avoid using the Navigation Title field in the "admin/pages/new" endpoint until the issue is resolved. As a temporary workaround, consider validating and sanitizing user input for the Navigation Title to prevent XSS attacks.

**Name of the Vulnerable Software and Affected Versions** EasyCMS version 1.5 **Description** The issue allows for XSS via the `index.php?s=/admin/fields/update/navTabId/listfields/callbackType/closeCurrent` content field. **Recommendations** For EasyCMS version 1.5, update to a version that includes a fix for this issue, as using the current version may pose a security risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** HongCMS version 3.0.0 **Description** The issue allows for arbitrary file deletion. This can be achieved by manipulating the `file` parameter in the `/admin/index.php/language/ajax` endpoint with a `../` sequence and setting the `action` parameter to `delete`. **Recommendations** For HongCMS version 3.0.0, avoid using the `delete` action in the `/admin/index.php/language/ajax` endpoint until a fix is available. As a temporary workaround, consider restricting access to this endpoint to minimize the risk of exploitation.