Skruppy

**Name of the Vulnerable Software and Affected Versions** Englesystem versions prior to 3.4.1 **Description** Englesystem is a shift planning system for chaos events. The system performed insufficient validation of user-supplied data for the DECT number, mobile number, and work-log comment fields. This allowed the injection and execution of Javascript code in another user's context, enabling an authenticated user to inject Javascript into other users' sessions. The injected JS will be executed during normal usage of the system when viewing overview pages. **Recommendations** For versions prior to 3.4.1, update to version 3.4.1 to resolve the issue. As a temporary workaround, consider restricting access to the log overview pages to minimize the risk of exploitation. Additionally, avoid using the DECT number, mobile number, and work-log comment fields until the issue is resolved.