Nikola Kojic

**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned. **Description** A malicious unauthorized PAM user can access the administration configuration data and change the values. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** LAMS versions prior to 3.1 **Description** The issue concerns unauthenticated reflected cross-site scripting (XSS) that allows a remote attacker to introduce arbitrary JavaScript. This is achieved through the manipulation of an unsanitized GET parameter during a password change, specifically in the forgotPasswordChange.jsp page with a key parameter. **Recommendations** For versions prior to 3.1, update to version 3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the forgotPasswordChange.jsp page to minimize the risk of exploitation. Avoid using the key parameter in the forgotPasswordChange.jsp page until the issue is resolved.