Ishaq Mohammed

**Name of the Vulnerable Software and Affected Versions** Rundeck Community Edition versions prior to 3.0.13 **Description** A cross-site scripting (XSS) issue was found on the Job Edit page, related to the assets/javascripts/workflowStepEditorKO.js and views/execution/ wfitemEdit.gsp files. **Recommendations** For versions prior to 3.0.13, update to version 3.0.13 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Kirby Panel versions prior to 2.3.3 Kirby Panel versions 2.4.x prior to 2.4.2 Kirby Panel versions 2.5.x prior to 2.5.7 **Description** A cross-site Scripting (XSS) issue exists when displaying a specially prepared SVG document that has been uploaded as a content file. **Recommendations** For versions prior to 2.3.3, update to version 2.3.3 or later. For versions 2.4.x prior to 2.4.2, update to version 2.4.2 or later. For versions 2.5.x prior to 2.5.7, update to version 2.5.7 or later.

**Name of the Vulnerable Software and Affected Versions** KeystoneJS versions prior to 4.0.0 **Description** A cross-site scripting (XSS) issue exists due to the failure to sanitize user input on the Contact Us page, allowing attackers to submit contact forms with malicious JavaScript in the message field. This leads to the execution of arbitrary JavaScript in an admin's browser when they open a new inquiry. **Recommendations** Update to version 4.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** KeystoneJS versions prior to 4.0.0-beta.7 **Description** A CSV Injection issue exists due to mishandled values in CSV exports. This issue affects the `admin/server/api/download.js` and `lib/list/getCSVData.js` files. **Recommendations** For versions prior to 4.0.0-beta.7, update to version 4.0.0-beta.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** OctoberCMS version 1.0.425 **Description** The issue allows a least privileged user to upload an SVG file containing malicious code as the Avatar for the profile. When this is opened by the Admin, it causes JavaScript execution in the context of the Admin account. **Recommendations** For OctoberCMS version 1.0.425, consider restricting the upload of SVG files or disabling the ability to set custom Avatars until a fix is available. Additionally, restrict access to the profile management feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 2.9.9 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `Title of your FAQ` field in the Configuration Module. **Recommendations** For versions prior to 2.9.9, update to version 2.9.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions prior to 2.9.9 **Description** The issue is related to a cross-site scripting (XSS) vulnerability. This vulnerability allows remote attackers to inject arbitrary web script or HTML via the `Questions` field in an "Add New FAQ" action. **Recommendations** For versions prior to 2.9.9, update to version 2.9.9 or later to resolve the issue.