R3Verii

**Name of the Vulnerable Software and Affected Versions** MailerPress versions prior to 1.4.3 **Description** A Server-Side Request Forgery (SSRF) issue exists in MailerPress. This allows for Server Side Request Forgery. The vulnerability affects the `mailerpress` component. **Recommendations** Update MailerPress to a version later than 1.4.2.

**Name of the Vulnerable Software and Affected Versions** listmonk versions 1.1.0 and earlier **Description** listmonk, a standalone newsletter and mailing list manager, is susceptible to a chain of vulnerabilities involving Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS). Specifically, the `nonce` value included in HTTP requests, alongside the session cookie `session`, is not validated by the backend. Removing this `nonce` allows requests to be processed, which, when combined with other vulnerabilities, can lead to critical issues such as improper admin account creation. The lack of a `SameSite` cookie policy further exacerbates the risk, potentially enabling exploitation through malicious websites. Exploitation involves chaining CSRF and XSS to execute arbitrary code in the victim's browser, ultimately allowing an attacker to create new administrative accounts. **Recommendations** Versions prior to 1.1.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.