Seryun Ham

**Name of the Vulnerable Software and Affected Versions** ThinkPHP version 8.0.3 **Description** The issue allows remote attackers to exploit XSS due to inadequate filtering of function argument values in think exception.tpl. Additionally, it enables remote attackers to discover the PHPSESSION cookie because think exception.tpl provides this in an error message for a crafted URI in a GET request. **Recommendations** For ThinkPHP version 8.0.3, consider disabling the think exception.tpl template until a patch is available to prevent the disclosure of the PHPSESSION cookie and mitigate the risk of XSS exploitation. Restrict access to error messages that may contain sensitive information to minimize the risk of exploitation. Avoid using crafted URIs in GET requests to the affected think exception.tpl template until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PgHero versions prior to 3.1.0 **Description** The issue allows information disclosure via EXPLAIN, as query results may be present in an error message. Depending on database user privileges, this may disclose information from the database or from file contents on the database server. **Recommendations** For versions prior to 3.1.0, update to version 3.1.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the EXPLAIN feature to minimize the risk of information disclosure.