Shady.Liu

**Name of the Vulnerable Software and Affected Versions** Ex Libris ALEPH 500 versions 18.1 through 20 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `find`, `lib`, or `sid` parameters in the cgi-bin/tag m.cgi endpoint. This enables attackers to perform cross-site scripting (XSS) attacks. **Recommendations** For Ex Libris ALEPH 500 versions 18.1 through 20, consider restricting access to the cgi-bin/tag m.cgi endpoint until a patch is available. As a temporary workaround, avoid using the `find`, `lib`, or `sid` parameters in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ex Libris ALEPH 500 versions 18.1 through 20 **Description** The issue concerns multiple SQL injection vulnerabilities in the cgi-bin/review m.cgi component of Ex Libris ALEPH 500. These vulnerabilities allow remote attackers to execute arbitrary SQL commands via the `find`, `lib`, or `sid` parameters. **Recommendations** For versions 18.1 through 20, consider restricting access to the vulnerable cgi-bin/review m.cgi component until a patch is available. As a temporary workaround, avoid using the `find`, `lib`, or `sid` parameters in the affected API endpoint until the issue is resolved.