Paweł Hałdrzyński

**Name of the Vulnerable Software and Affected Versions** Craft CMS Comments plugin versions prior to 1.5.5 **Description** A stored XSS issue was discovered via an asset volume name. **Recommendations** For versions prior to 1.5.5, update to version 1.5.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Craft CMS Comments plugin versions prior to 1.5.5 **Description** An issue affects comment integrity due to CSRF. **Recommendations** For versions prior to 1.5.5, update to version 1.5.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Comments plugin for Craft CMS versions prior to 1.5.6 **Description** The issue is related to stored XSS via a guest name. This allows for malicious code to be stored and executed when a user interacts with the affected component. **Recommendations** For versions prior to 1.5.6, update to version 1.5.6 or later to resolve the issue. As a temporary workaround, consider restricting access to the Comments plugin until the update is applied. Avoid using the guest name field in the Comments plugin until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Knock Knock plugin versions prior to 1.2.8 **Description** The issue allows IP Whitelist bypass via an X-Forwarded-For HTTP header. This means that an attacker can potentially bypass the IP whitelist by manipulating the X-Forwarded-For header in HTTP requests. **Recommendations** For versions prior to 1.2.8, update to version 1.2.8 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the Craft CMS to minimize the risk of exploitation. Avoid relying solely on the IP Whitelist for security until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Knock Knock plugin versions prior to 1.2.8 **Description** The issue allows malicious redirection. **Recommendations** For versions prior to 1.2.8, update to version 1.2.8 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Image Resizer plugin versions prior to 2.0.9 for Craft CMS **Description** The issue is related to CSRF problems with the log-clear controller action in the affected plugin. **Recommendations** For versions prior to 2.0.9, update to version 2.0.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the log-clear controller action to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Image Resizer plugin versions prior to 2.0.9 for Craft CMS **Description** The issue concerns stored XSS in the Bulk Resize action. **Recommendations** For versions prior to 2.0.9, update to version 2.0.9 or later to resolve the issue. As a temporary workaround, consider disabling the Bulk Resize action until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Sprout Forms versions prior to 3.9.0 **Description** A potential Server-Side Template Injection issue exists in Sprout Forms, which could lead to the execution of Twig code when using custom fields in Notification Emails. **Recommendations** For versions prior to 3.9.0, update to version 3.9.0 to fix the issue. As a temporary workaround for users unable to upgrade, update any Notification Emails to use the "Basic Notification (Sprout Email)" template and avoid using the "Basic Notification (Sprout Forms)" template or any custom templates that display Form Fields.