Qk121

**Name of the Vulnerable Software and Affected Versions** YZMCMS version 7.4 **Description** A reflected cross-site scripting (XSS) issue exists in the `/index/login.html` component. This allows attackers to execute arbitrary Javascript within the user's browser by modifying the `referrer` value in the request header. The affected API endpoint is `/index/login.html`. **Recommendations** Update YZMCMS to a version that addresses this issue. As a temporary workaround, sanitize the `referrer` header value before processing it in the `/index/login.html` component.

**Name of the Vulnerable Software and Affected Versions** Lightcms version 2.0 **Description** A reflected cross-site scripting (XSS) issue exists in the `/admin/menus` component. This allows attackers to execute arbitrary Javascript within a user's browser by altering the `referer` value in the request header. The vulnerable component is accessible via the ''/admin/menus'' API endpoint. The `referer` variable is susceptible to manipulation. **Recommendations** Modify the application to properly sanitize the `referer` variable before using it in the ''/admin/menus'' component.