Mohammed Alorf

**Name of the Vulnerable Software and Affected Versions** Qibosoft qibosoft versions 7 and earlier **Description** The issue allows a remote attacker to execute arbitrary code via the `eindtijd` and `starttijd` parameters of the "do/search.php" endpoint. This enables the attacker to perform actions such as injecting malicious scripts. **Recommendations** For Qibosoft qibosoft versions 7 and earlier, consider restricting access to the "do/search.php" endpoint until a patch is available. As a temporary workaround, avoid using the `eindtijd` and `starttijd` parameters in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Subrion CMS version 4.2.1 **Description** The issue allows for XSS attacks via the `name`, `email`, or `phone` parameter in the ` core/en/contacts/` endpoint. **Recommendations** For Subrion CMS version 4.2.1, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting user input for the `name`, `email`, and `phone` parameters to minimize the risk of exploitation.