Leousumo

**Name of the Vulnerable Software and Affected Versions** Piwigo version 14.5.0 **Description** A stored cross-site scripting (XSS) issue in the Configuration page allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Page banner` parameter. This could potentially lead to the execution of malicious code on the victim's browser. **Recommendations** For Piwigo version 14.5.0, consider removing or restricting access to the Configuration page until a fix is available. As a temporary workaround, avoid using the `Page banner` parameter in the Configuration page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** MyBB version 1.8.38 **Description** A stored cross-site scripting (XSS) issue exists in the component installindex.php, allowing attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Website Name` parameter. This enables attackers to potentially manipulate website content or steal user data. **Recommendations** For MyBB version 1.8.38, as a temporary workaround, consider restricting access to the installindex.php component until a patch is available. Avoid using the `Website Name` parameter in the affected component to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DomainMOD versions prior to 4.12.0 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject JavaScript code via the "admin/domain-fields/edit.php" API endpoint and the `cdfid` parameter. This enables attackers to execute malicious scripts on the victim's browser. **Recommendations** For versions prior to 4.12.0, update to version 4.12.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "admin/domain-fields/edit.php" endpoint and avoiding the use of the `cdfid` parameter until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** DomainMOD versions prior to 4.12.0 **Description** The issue is related to a reflected Cross Site Scripting (XSS) vulnerability in the queueindex.php file of DomainMOD. The `list id` and `domain id` parameters in the GET request can be exploited to cause this issue. **Recommendations** For versions prior to 4.12.0, update to version 4.12.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the queueindex.php file or validating and sanitizing the `list id` and `domain id` parameters in the GET request to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DomainMOD versions prior to 4.12.0 **Description** A reflected Cross Site Scripting (XSS) issue is present in the segmentsedit.php file. The `segid` parameter in the GET request can be exploited to cause this issue. **Recommendations** For versions prior to 4.12.0, update to version 4.12.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the segmentsedit.php file or avoiding the use of the `segid` parameter in the GET request until a patch is applied.