Saleh Elsayed

**Name of the Vulnerable Software and Affected Versions** Cisco Webex Meetings (affected versions not specified) **Description** Insufficient validation of user input in the web-based user interface allows an unauthenticated remote attacker to conduct a cross-site scripting (XSS) attack. An attacker could exploit this by persuading a user to follow a malicious link, leading to the execution of arbitrary script code in the user's browser or unauthorized access to sensitive browser-based information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution versions prior to 2.9.88 **Description** The plugin is susceptible to Blind Server-Side Request Forgery (SSRF), a flaw where an attacker can force the server to make HTTP requests to an arbitrary destination. This can be exploited by unauthenticated attackers via the `SubscribeURL` parameter to query or modify information from internal services. This issue is only exploitable if the SES bounce handling key ` fc bounce key` has not been stored, which occurs when the site is in its default or unconfigured state regarding SES bounce handling. If the bounce configuration page is visited, a random key is generated and stored, which prevents unauthenticated requests. **Recommendations** Update to a version newer than 2.9.87. As a temporary mitigation, ensure the SES bounce configuration page is visited to generate and store the ` fc bounce key`.