Iceware

**Name of the Vulnerable Software and Affected Versions** Bixie Portfolio plugin version 1.2.0 **Description** The issue allows a logged-in user with the "Manage portfolio" privilege to inject arbitrary web script or HTML via the `Image URL` field in the portfolio editor. This is triggered by visiting the "/portfolio/${project title}" API endpoint. **Recommendations** For Bixie Portfolio plugin version 1.2.0, consider disabling the portfolio editor for users with the "Manage portfolio" privilege until a fix is available. Restrict access to the "/portfolio/${project title}" API endpoint to minimize the risk of exploitation. Avoid using the `Image URL` field in the portfolio editor until the issue is resolved.