Saifallah Benmassaoud

**Name of the Vulnerable Software and Affected Versions** Subsonic version 6.1.3 **Description** The issue allows an attacker to retrieve sensitive user information via a read request, exploiting an insecure allow-access-from domain="*" Flash cross-domain policy. To exploit this, an attacker must convince the user to visit a web site loaded with a SWF file created to steal user data. **Recommendations** For Subsonic version 6.1.3, consider restricting access to sensitive user information until a patch is available. As a temporary workaround, avoid using Flash-based features that may be exploited through the cross-domain policy issue.

**Name of the Vulnerable Software and Affected Versions** Perch Content Management System version 3.0.3 **Description** The issue allows for unrestricted file upload, which can lead to cross-site scripting (XSS) attacks. This can be exploited by using the Asset Title field in conjunction with the Select File field. The exploitation of this issue is possible with a Limited Admin account. **Recommendations** For Perch Content Management System version 3.0.3, consider restricting access to the Asset Title and Select File fields to prevent unrestricted file uploads until a fix is available. As a temporary workaround, limit the permissions of Limited Admin accounts to minimize the risk of exploitation.