K Shanmukha Srinivasulu Royal

**Name of the Vulnerable Software and Affected Versions** HTMLy version 3.1.1 **Description** A Cross-Site Scripting (XSS) issue exists in the content creation functionality at the '/add/content?type=image' endpoint. The application fails to properly sanitize user input, which allows the injection of arbitrary code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ApostropheCMS versions prior to 4.29.0 **Description** A stored cross-site scripting issue exists in SEO-related fields, specifically the SEO Title and Meta Description. User-controlled input is rendered without proper output encoding into HTML contexts, including <title> tags, <meta> attributes, and JSON-LD structured data. This allows an attacker to inject and execute arbitrary JavaScript in the browser of authenticated users. This can be used to perform authenticated API requests to endpoints such as '/api/v1/@apostrophecms/user' and exfiltrate sensitive data, including usernames, email addresses, and roles, to an external server. **Recommendations** Update to version 4.29.0.