Phantom0301

Name of the Vulnerable Software and Affected Versions: BigTree version 4.2.19 Description: The issue allows remote users to inject arbitrary web script or HTML via the `directory` parameter in the `/core/admin/ajax/developer/extensions/file-browser.php` API endpoint. This is a cross-site scripting (XSS) issue. Recommendations: For BigTree version 4.2.19, as a temporary workaround, consider restricting access to the `/core/admin/ajax/developer/extensions/file-browser.php` API endpoint until a patch is available. Avoid using the `directory` parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MetInfo version 5.3.17 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `Client-IP` or `X-Forwarded-For` HTTP header to the "/include/stat/stat.php" API endpoint in a `para` action. **Recommendations** For MetInfo version 5.3.17, as a temporary workaround, consider restricting access to the "/include/stat/stat.php" endpoint until a patch is available. Avoid using the `Client-IP` or `X-Forwarded-For` headers in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** b2evolution versions prior to 6.8.4 **Description** The issue allows remote authenticated users to inject arbitrary web script or HTML via a .swf file in a comment frame or avatar frame, potentially leading to cross-site scripting (XSS) attacks. **Recommendations** For versions prior to 6.8.4, update to version 6.8.4 or later to resolve the issue.