Songohan22

Name of the Vulnerable Software and Affected Versions: phplist versions 3.5.4 and below Description: A stored cross site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the `rule1` parameter under the "Bounce Rules" module. Recommendations: For phplist versions 3.5.4 and below, avoid using the `rule1` parameter in the "Bounce Rules" module until a fix is available. Consider restricting access to the "Bounce Rules" module to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** phplist versions 3.5.4 and below **Description** A stored cross site scripting (XSS) issue exists in the "Import Subscribers" feature, allowing authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. **Recommendations** For phplist versions 3.5.4 and below, update to a version above 3.5.4 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: LavaLite version 5.8.0 Description: A stored cross site scripting (XSS) issue exists in the /admin/user/team component, allowing authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `New` parameter. Recommendations: For LavaLite version 5.8.0, consider disabling access to the /admin/user/team component until a fix is available, and avoid using the `New` parameter in this context to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: LavaLite version 5.8.0 Description: A stored cross site scripting (XSS) issue exists in the /admin/roles/role component, allowing authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `New` parameter. Recommendations: For LavaLite version 5.8.0, consider restricting access to the /admin/roles/role component until a fix is available, and avoid using the `New` parameter in this context to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: LavaLite version 5.8.0 Description: A stored cross site scripting (XSS) issue in the "/admin/contact/contact" API endpoint allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `New` parameter. This enables attackers to potentially manipulate the web application's behavior. Recommendations: For LavaLite version 5.8.0, consider disabling access to the "/admin/contact/contact" API endpoint until a patch is available, and restrict the use of the `New` parameter to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: phplist versions 3.5.4 and below Description: A stored cross site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the `Campaign` field under the `Send a campaign` module. Recommendations: For phplist versions 3.5.4 and below, update to a version above 3.5.4 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion version 9.03.60 **Description** The issue allows attackers to redirect victim users to malicious websites via a crafted payload entered into the Shoutbox message panel in the /php-fusion/infusions/shoutbox panel/shoutbox archive.php component. **Recommendations** For PHP-Fusion version 9.03.60, consider restricting access to the Shoutbox message panel until a fix is available, and avoid using the Shoutbox feature with untrusted input. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion version 9.03.60 **Description** A stored cross site scripting (XSS) vulnerability in "/administration/setting security.php" allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. **Recommendations** For PHP-Fusion version 9.03.60, consider disabling access to the "/administration/setting security.php" page until a patch is available. Restricting the ability to input crafted payloads in this context can also minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** phplist version 3.5.4 **Description** A stored cross site scripting (XSS) issue in the "Import emails" module allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. **Recommendations** For phplist version 3.5.4, consider disabling the "Import emails" module until a patch is available to prevent exploitation.

**Name of the Vulnerable Software and Affected Versions** phplist versions 3.5.4 and below **Description** A stored cross site scripting (XSS) issue allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload in the `admin` parameter under the "Manage administrators" module. **Recommendations** For versions 3.5.4 and below, consider disabling the "Manage administrators" module until a patch is available to prevent exploitation of the stored XSS issue.

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion version 9.03.60 **Description** A stored cross site scripting (XSS) issue exists in the `/administration/settings registration.php` file, allowing authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `Registration` field. This can be exploited by a remote attacker to execute arbitrary code using a specially crafted payload. **Recommendations** For PHP-Fusion version 9.03.60, as a temporary workaround, consider disabling access to the `/administration/settings registration.php` file until a patch is available. Restrict access to the `Registration` field in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion version 9.03.60 **Description** The issue is related to a reflected cross site scripting (XSS) vulnerability in the /administration/theme.php file of PHP-Fusion. This vulnerability can be exploited by authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `Manage Theme` field. The vulnerability exists due to insufficient protection of the web page structure. **Recommendations** For PHP-Fusion version 9.03.60, consider disabling access to the /administration/theme.php file until a patch is available. Restrict access to the `Manage Theme` field to minimize the risk of exploitation. Avoid using the `Manage Theme` field in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion version 9.03.50 **Description** A stored cross site scripting (XSS) vulnerability in the administration/settings main.php file allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the `Site footer` field. This issue is related to the lack of protection measures for the web page structure, which can be exploited by remote attackers to perform cross-site scripting attacks. **Recommendations** For PHP-Fusion version 9.03.50, consider disabling the ability to edit the `Site footer` field in administration/settings main.php until a patch is available to prevent exploitation of this issue. Restrict access to the administration/settings main.php file to minimize the risk of arbitrary web script or HTML execution. Avoid using the `Site footer` field in the affected administration/settings main.php file until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion version 9.03.50 **Description** The issue in PHP-Fusion allows an attacker to perform a session replay attack and impersonate the victim user because session cookies are not deleted once a user logs out. This can lead to unauthorized access to protected information. The vulnerability is related to bypassing the authentication procedure. **Recommendations** For PHP-Fusion version 9.03.50, ensure that session cookies are properly deleted upon user logout to prevent session replay attacks. As a temporary workaround, consider implementing a custom session destruction mechanism to mitigate the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Monstra CMS version 1.6 Description: The issue allows for XSS via an uploaded SVG document to the "admin/index.php?id=filesmanager&path=uploads/" URI. It is noted that Monstra CMS is a discontinued product. Recommendations: For Monstra CMS version 1.6, as a temporary workaround, consider restricting access to the "admin/index.php?id=filesmanager&path=uploads/" URI to minimize the risk of exploitation. Avoid using this version until a resolution is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.