Picaro_O

**Name of the Vulnerable Software and Affected Versions** Exponent CMS version 2.6 **Description** Authenticated attackers can perform stored cross-site scripting by injecting malicious scripts via the `Title` and `Text Block` parameters in the text editing endpoint. This is achieved by injecting iframe payloads with embedded SVG onload events to execute arbitrary JavaScript. Additionally, the application exposes database credentials in responses and lacks brute-force protection on authentication endpoints. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Bitrix24 (affected versions not specified) **Description** A logged-in attacker can execute arbitrary system commands through the PHP command line admin interface, leading to remote code execution. The attacker leverages this by sending crafted POST requests to an administrative endpoint. The application's privileges are used to execute the code. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.