Majavah

**Name of the Vulnerable Software and Affected Versions** GlobalNewFiles versions prior to commit cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d **Description** The GlobalNewFiles special page is vulnerable to a stored XSS due to the lack of proper input validation in the username column. This issue can be exploited by inserting malicious HTML or JavaScript code into account names. As a workaround, disallowing certain characters such as `<` and `>` from being used in account names can prevent the XSS. **Recommendations** For versions prior to commit cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d, update to a version that includes the patch from commit cee254e1b158cdb0ddbea716b1d3edc31fa4fb5d to resolve the issue. As a temporary workaround, consider disallowing `<`, `>` (or other characters required to insert html/js) from being used in account names to prevent the XSS.