Michał Błaszczak

**Name of the Vulnerable Software and Affected Versions** beefree.io SDK versions prior to 3.47.0 **Description** The beefree.io SDK contains a Stored Cross-Site Scripting (XSS) issue within the Social Media icon URL parameter of the email builder functionality. A malicious actor can inject arbitrary HTML and JavaScript into a template. This injected code will be rendered and executed when a user views the preview page. The effectiveness of payloads may be limited by the beefree Content Security Policy. **Recommendations** Update to version 3.47.0 or later.

**Name of the Vulnerable Software and Affected Versions** Zammad versions prior to 3.4.1 **Description** An issue was discovered in the Tag and Link REST API endpoints for add and delete operations, which lack a CSRF token check. The "Tag and Link REST API endpoints" are affected, specifically the endpoints for adding and deleting. **Recommendations** For versions prior to 3.4.1, update to version 3.4.1 or later to resolve the issue. As a temporary workaround, consider implementing a CSRF token check for the Tag and Link REST API endpoints until a patch is available.