Robogr00T

**Name of the Vulnerable Software and Affected Versions** XWiki Platform versions prior to 14.10.21 XWiki Platform versions prior to 15.5.5 XWiki Platform versions prior to 15.10.6 XWiki Platform versions prior to 16.0.0 **Description** The issue is related to the execution of malicious JavaScript code when uploading an attachment with a malicious filename. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment, allowing actions to be performed in the name of that user. **Recommendations** For XWiki Platform versions prior to 14.10.21, update to version 14.10.21 or later. For XWiki Platform versions prior to 15.5.5, update to version 15.5.5 or later. For XWiki Platform versions prior to 15.10.6, update to version 15.10.6 or later. For XWiki Platform versions prior to 16.0.0, update to version 16.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** openclass versions 3.15 and earlier **Description** The issue allows an attacker to execute arbitrary code via a crafted file to the "certbadge.php" endpoint. This enables the attacker to potentially gain control over the system. **Recommendations** For versions 3.15 and earlier, as a temporary workaround, consider restricting access to the "certbadge.php" endpoint until a patch is available. Avoid using this endpoint with untrusted files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.