Konchan

**Name of the Vulnerable Software and Affected Versions** MaxSite CMS versions prior to 109.4 **Description** A weakness exists in the Antispam Plugin component within the '/admin/plugin antispam' file. A remote attacker can perform a manipulation of the `f logging file` argument to execute cross-site scripting (XSS), which occurs when an application includes untrusted data in a web page without proper validation or encoding. This issue is caused by a lack of filtering via the `htmlspecialchars()` function, allowing attackers to bypass output encoding. **Recommendations** Upgrade to version 109.4. As a temporary workaround, restrict access to the '/admin/plugin antispam' file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MaxSite CMS versions prior to 109.4 **Description** An issue exists in the Redirect Plugin where the manipulation of the `f all` or `f all404` arguments allows for cross-site scripting (XSS), a condition where malicious scripts are injected into trusted websites. This occurs due to a lack of filtering via the `htmlspecialchars()` function, which is used to convert special characters to HTML entities to prevent the browser from interpreting them as code. The attack can be executed remotely. **Recommendations** Upgrade to version 109.4.

**Name of the Vulnerable Software and Affected Versions** MaxSite CMS versions prior to 109.4 **Description** A cross-site scripting issue exists in the `mail send` plugin. Remote attackers can initiate an attack by manipulating the `f subject`, `f files`, or `f from` arguments. This occurs due to a lack of filtering via the `htmlspecialchars()` function, which is used to convert special characters to HTML entities to prevent the browser from interpreting them as code. **Recommendations** Upgrade to version 109.4.

**Name of the Vulnerable Software and Affected Versions** MaxSite CMS versions prior to 109.4 **Description** A flaw in the `down count` plugin allows for cross-site scripting (XSS) via the manipulation of the `f file` and `f prefix` arguments. This issue occurs due to a lack of filtering using the `htmlspecialchars()` function, which is used to convert special characters to HTML entities to prevent the browser from interpreting them as code. **Recommendations** Upgrade to version 109.4.

**Name of the Vulnerable Software and Affected Versions** MaxSite CMS versions prior to 109.4 **Description** A cross-site scripting issue exists in the Guestbook Plugin component due to improper processing of the `f text`, `f slug`, `f limit`, and `f email` arguments. This occurs because of a lack of filtering via the `htmlspecialchars()` function, which is used to convert special characters to HTML entities to prevent the browser from interpreting them as code. This flaw allows a remote attacker to execute malicious scripts. **Recommendations** Update to version 109.4.

**Name of the Vulnerable Software and Affected Versions** MaxSite CMS versions prior to 109.4 **Description** A cross-site scripting issue exists in the ushki Plugin. Manipulation of the `f ushka new`/`f ushk` argument allows remote exploitation due to a lack of filtering via the `htmlspecialchars()` function, which is used to convert special characters to HTML entities to prevent the browser from interpreting them as code. **Recommendations** Update to version 109.4.