Kasiasok

**Name of the Vulnerable Software and Affected Versions** Statamic Alt Redirect version 1.6.3 **Description** The Alt Redirect 1.6.3 addon for Statamic does not consistently remove query string parameters when the "Query String Strip" feature is enabled. Variations in case, encoded keys, and duplicate parameters are not removed, potentially allowing attackers to bypass sanitization. This could result in cache poisoning, parameter pollution, or denial of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Publii CMS version 0.46.5 (build 17089) **Description** Publii CMS version 0.46.5 (build 17089) contains a persistent Cross-Site Scripting (XSS) flaw. This occurs because input in configuration fields, such as “Site Description” and “Footer Follow Buttons”, is not properly sanitized. An attacker can inject arbitrary JavaScript code into these fields. This code is stored within the project and executed in the browsers of visitors accessing the generated static site. The vulnerable configuration fields include “Site Description” and “Footer Follow Buttons”. **Recommendations** Update to a newer version that contains a fix for this vulnerability.