Phoenix

**Name of the Vulnerable Software and Affected Versions** Microweber version 1.2.15 **Description** The issue allows attackers to perform an account takeover via a host header injection attack. This enables unauthorized access to user accounts, potentially leading to data breaches or other malicious activities. **Recommendations** For Microweber version 1.2.15, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to sensitive account settings to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Gutenberg plugin versions through 13.7.3 for WordPress **Description** The issue allows stored XSS by the Contributor role via an SVG document to the "Insert from URL" feature. The XSS payload does not execute in the context of the WordPress instance's domain. However, some similar products block analogous attempts by low-privileged users to reference SVG documents, and this behavioral difference might have security relevance to some WordPress site administrators. **Recommendations** For versions through 13.7.3, consider disabling the "Insert from URL" feature until a patch is available to prevent exploitation. Restrict access to the SVG document upload functionality to minimize the risk of stored XSS attacks.

**Name of the Vulnerable Software and Affected Versions** Known versions 1.3.1 and prior **Description** The issue is related to an Insecure Direct Object Reference (IDOR) in Known. There is no information provided about the estimated number of potentially affected devices worldwide or details about real-world incidents where this issue was exploited. **Recommendations** For versions 1.3.1 and prior, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Known versions 1.2.2 through 1.3.1 **Description** A cross-site scripting (XSS) vulnerability allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Your Name` text field. **Recommendations** For versions 1.2.2 through 1.3.1, consider disabling the `Your Name` text field until a patch is available to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Known versions 1.2.2 through 1.3.1 **Description** An issue in the `isSVG()` function allows attackers to execute arbitrary code via a crafted SVG file. The researcher report indicates that versions 1.3.1 and prior are vulnerable. **Recommendations** For versions 1.2.2 through 1.3.1, consider disabling the `isSVG()` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Known versions 1.3.1 and prior **Description** The issue allows attackers to perform an account takeover via a host header injection attack. **Recommendations** For versions 1.3.1 and prior, consider restricting access to sensitive account information until a patch is available. As a temporary workaround, consider implementing additional validation on the host header to prevent injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.