Kyaw Min Thein

**Name of the Vulnerable Software and Affected Versions** CKEditor versions 4.5.10 through 4.9.1 Drupal 8 versions prior to 8.4.7 Drupal 8.5.x versions prior to 8.5.2 **Description** The issue allows remote attackers to inject arbitrary web script through a crafted IMG element, resulting in a cross-site scripting (XSS) vulnerability. This occurs because the Enhanced Image plugin for CKEditor does not properly validate user input. **Recommendations** For CKEditor versions 4.5.10 through 4.9.1, update to version 4.9.2 to resolve the issue. For Drupal 8 versions prior to 8.4.7, update to version 8.4.7 or later. For Drupal 8.5.x versions prior to 8.5.2, update to version 8.5.2 or later. As a temporary workaround, consider disabling the Enhanced Image plugin until a patch is available. Restrict access to the `image2` plugin to minimize the risk of exploitation. Avoid using crafted IMG elements in the affected API endpoints until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: CMS Made Simple version 2.2.5 Description: The issue is related to a Cross-Site Scripting (XSS) problem. It occurs in the admin/addbookmark.php file through the `title` parameter. Recommendations: For CMS Made Simple version 2.2.5, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the admin/addbookmark.php file to minimize the risk of exploitation. Avoid using the `title` parameter in the affected file until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: CMS Made Simple version 2.2.5 Description: The issue is related to XSS in the admin/moduleinterface.php file via the `m1 messages` parameter. Recommendations: For CMS Made Simple version 2.2.5, avoid using the `m1 messages` parameter in the admin/moduleinterface.php file until the issue is resolved. As a temporary workaround, consider restricting access to the admin/moduleinterface.php file to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: CMS Made Simple version 2.2.5 Description: The issue is related to XSS in the admin/moduleinterface.php file via the `m1 errors` parameter. Recommendations: For CMS Made Simple version 2.2.5, update to a newer version that contains a fix for this issue.