Nakul Ratti

**Name of the Vulnerable Software and Affected Versions** b2evolution cms version 6.11.6-stable **Description** A reflected cross-site scripting issue exists, allowing remote attackers to inject arbitrary web script or HTML code. This is achieved via the `tab3` parameter in the evoadm.php file. **Recommendations** For version 6.11.6-stable, consider restricting access to the evoadm.php file or disabling the `tab3` parameter to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** b2evolution CMS versions prior to 6.11.6 **Description** The issue allows an attacker to perform malicious open redirects to an attacker-controlled resource via the `redirect to` parameter in `email passthrough.php`. **Recommendations** For versions prior to 6.11.6, update to version 6.11.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the `email passthrough.php` file or disabling the `redirect to` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** b2evolution CMS versions prior to 6.11.7 **Description** The issue allows an attacker to execute malicious JavaScript code via the plugin name input field in the plugin module. This is a Stored XSS issue. **Recommendations** For b2evolution CMS versions prior to 6.11.7, update to version 6.11.7 or later to resolve the issue. As a temporary workaround, consider restricting access to the plugin module to minimize the risk of exploitation. Avoid using the plugin name input field in the plugin module until the issue is resolved.