R0Ck3T1973

**Name of the Vulnerable Software and Affected Versions** Tiki versions prior to 27.1 **Description** The issue allows users with specific permissions to insert a stored XSS payload in the Name field of the Modules section, accessible through tiki-admin modules.php. This can lead to the execution of malicious scripts when the module is accessed. **Recommendations** For versions prior to 27.1, update to version 27.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the Modules section for users with permissions that could be used to insert malicious payloads.

**Name of the Vulnerable Software and Affected Versions** Tiki versions prior to 27.1 **Description** The issue allows users with specific permissions to insert a stored XSS payload in the Index by creating or editing an external wiki. This can lead to the execution of malicious scripts. **Recommendations** For versions prior to 27.1, update to version 27.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Create/Edit External Wiki" feature for users with certain permissions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Tiki versions prior to 27.1 **Description** The issue allows users with specific permissions to insert a stored XSS payload in the Name field when creating or editing an external wiki. This can lead to the execution of malicious scripts. **Recommendations** For versions prior to 27.1, update to version 27.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "Create/Edit External Wiki" feature for users with certain permissions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Tiki versions prior to 27.1 **Description** The issue allows users with specific permissions to insert a stored XSS payload in the description, potentially leading to security breaches. **Recommendations** For versions prior to 27.1, update to version 27.1 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Mara CMS version 7.5 Description: A cross site scripting (XSS) issue in menuedit.php allows attackers to execute arbitrary web scripts or HTML via a crafted payload. Recommendations: For Mara CMS version 7.5, update to a version that includes a fix for this issue, as the current version allows execution of arbitrary web scripts or HTML, posing a significant risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mara version 7.5 **Description** A remote code execution issue in the `/codebase/dir.php?type=filenew` component allows attackers to execute arbitrary commands via a crafted PHP file. **Recommendations** For Mara version 7.5, consider disabling the `/codebase/dir.php?type=filenew` component until a patch is available to prevent exploitation. Restrict access to this component to minimize the risk of arbitrary command execution. Avoid using crafted PHP files in the affected component until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TikiWiki version 21.4 **Description** The issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Add Event module in the tiki-calendar.php component. This is a cross-site scripting (XSS) issue. **Recommendations** For TikiWiki version 21.4, consider disabling the Add Event module in the tiki-calendar.php component until a patch is available. Restrict access to the tiki-calendar.php component to minimize the risk of exploitation. Avoid using the Add Event module until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TikiWiki version 21.4 **Description** The issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload under the Create category module in the tiki-browse categories.php component. This is a cross-site scripting (XSS) issue. **Recommendations** For TikiWiki version 21.4, consider disabling the Create category module until a patch is available to prevent exploitation of the XSS vulnerability in the tiki-browse categories.php component.

**Name of the Vulnerable Software and Affected Versions** Monstra version 3.0.4 **Description** A remote code execution issue in the `/admin/index.php?id=themes&action=edit template&filename=blog` component allows attackers to execute arbitrary commands via a crafted PHP file. **Recommendations** For Monstra version 3.0.4, consider disabling access to the `/admin/index.php?id=themes&action=edit template&filename=blog` endpoint until a patch is available. Restrict the ability to upload or execute PHP files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: BlackCat CMS version 1.3.6 Description: A stored cross site scripting (XSS) issue in the 'Add Page' feature allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `Title` parameter. Recommendations: For BlackCat CMS version 1.3.6, consider disabling the 'Add Page' feature until a patch is available to prevent exploitation. Restrict access to the `Title` parameter in the 'Add Page' feature to minimize the risk of arbitrary web script execution. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: moziloCMS version 2.0 Description: A stored cross site scripting (XSS) issue allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `Content` parameter. Recommendations: For moziloCMS version 2.0, consider restricting access to the `Content` parameter to minimize the risk of exploitation until a patch is available. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Codoforum version 5.0.2 Description: A stored cross site scripting (XSS) issue in the 'Smileys' feature allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `Smiley Code` parameter. Recommendations: For Codoforum version 5.0.2, consider disabling the 'Smileys' feature until a patch is available to prevent exploitation. Restrict access to the `Smiley Code` parameter to minimize the risk of arbitrary web script execution.

Name of the Vulnerable Software and Affected Versions: Codoforum version 5.0.2 Description: A stored cross site scripting (XSS) issue in the 'Pages' feature allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `Page Title` parameter. Recommendations: For Codoforum version 5.0.2, consider disabling the 'Pages' feature until a patch is available to prevent exploitation. Restrict access to the `Page Title` parameter to minimize the risk of arbitrary web script execution. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: BlackCat CMS version 1.3.6 Description: A stored cross site scripting (XSS) issue in the 'Admin-Tools' feature allows authenticated attackers to execute arbitrary web scripts or HTML via crafted payloads entered into the `Output Filters` and `Droplets` modules. Recommendations: For BlackCat CMS version 1.3.6, consider disabling the `Admin-Tools` feature, specifically the `Output Filters` and `Droplets` modules, until a patch is available to prevent exploitation. Restrict access to these modules to minimize the risk of arbitrary web script or HTML execution.

Name of the Vulnerable Software and Affected Versions: Codoforum version 5.0.2 Description: A stored cross site scripting issue in the 'Manage Users' feature allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `Username` parameter. Recommendations: For Codoforum version 5.0.2, as a temporary workaround, consider restricting access to the 'Manage Users' feature until a patch is available. Avoid using the `Username` parameter in the affected feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Rukovoditel version 2.7.2 Description: A stored cross site scripting issue in the 'Users Alerts' feature allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `Title` parameter. Recommendations: For Rukovoditel version 2.7.2, consider restricting access to the 'Users Alerts' feature until a patch is available, and avoid using the `Title` parameter in this feature to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Rukovoditel version 2.7.2 Description: A stored cross site scripting (XSS) issue in the 'Global Lists' feature allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `Name` parameter. Recommendations: For Rukovoditel version 2.7.2, consider restricting access to the 'Global Lists' feature until a patch is available, and avoid using the `Name` parameter in this feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

Name of the Vulnerable Software and Affected Versions: Rukovoditel version 2.7.2 Description: A stored cross site scripting (XSS) issue in the 'Users Access Groups' feature allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `Name` parameter. Recommendations: For Rukovoditel version 2.7.2, consider restricting access to the 'Users Access Groups' feature until a patch is available, and avoid using the `Name` parameter in this feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Rukovoditel version 2.7.2 Description: A stored cross site scripting (XSS) issue in the 'Entities List' feature allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `Name` parameter. Recommendations: For Rukovoditel version 2.7.2, consider restricting access to the 'Entities List' feature until a patch is available, and avoid using the `Name` parameter in this feature to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: dotCMS version 21.05.1 Description: A stored cross site scripting (XSS) issue allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `Title` and `Filename` parameters in the dotAdmin/#/c/c Images section. Recommendations: For dotCMS version 21.05.1, as a temporary workaround, consider restricting access to the dotAdmin/#/c/c Images section until a patch is available. Avoid using the `Title` and `Filename` parameters in this section with untrusted input until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.