Imsebao

**Name of the Vulnerable Software and Affected Versions** YUNUCMS version 1.0.7 **Description** The issue is related to a XSS flaw that can be triggered via the content title on an admin/content/addcontent/cid/## page, also known as a news center page. **Recommendations** For YUNUCMS version 1.0.7, consider restricting access to the admin/content/addcontent/cid/## page until a fix is available, and avoid using user-supplied input for the content title to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: QCMS version 3.0 Description: The issue allows for XSS via the `webname` parameter to the "/backend/system.html" API endpoint. Recommendations: For QCMS version 3.0, update to a version that includes a fix for this issue, if available. As a temporary workaround, consider restricting access to the "/backend/system.html" endpoint or avoiding the use of the `webname` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** lyadmin versions 1.x **Description** The issue allows for XSS via the `config[WEB SITE TITLE]` parameter to the "/admin.php?s=/admin/config/groupsave.html" API endpoint. **Recommendations** For lyadmin version 1.x, update to a version that fixes this issue, however at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the "/admin.php?s=/admin/config/groupsave.html" endpoint and avoid using the `config[WEB SITE TITLE]` parameter until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Dojo Toolkit version 1.13 **Description** The issue is related to the dijit.Editor component in Dojo Toolkit, which allows for cross-site scripting (XSS) attacks via the `onload` attribute of an SVG element. This can enable a remote attacker to perform cross-site scripting attacks. **Recommendations** For Dojo Toolkit version 1.13, consider disabling the use of SVG elements with the `onload` attribute in the dijit.Editor component until a patch is available. Restrict access to the dijit.Editor component to minimize the risk of exploitation. Avoid using the `onload` attribute in SVG elements within the dijit.Editor component until the issue is resolved.