Sqlhacker

**Name of the Vulnerable Software and Affected Versions** Movable Type (MT) Pro version 5.13 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the comment section. This could potentially lead to unauthorized actions on the affected system. **Recommendations** For Movable Type (MT) Pro version 5.13, update to a version that includes a fix for this issue, as using the comment section could allow for the injection of malicious scripts. As a temporary workaround, consider disabling the comment section until a patch is available.

**Name of the Vulnerable Software and Affected Versions** SmarterMail version 7.1.3876 **Description** A directory traversal issue exists, allowing remote attackers to read arbitrary files. This is achieved by manipulating the `name` parameter with specific sequences, including (1) ../ (dot dot slash), (2) %5C (encoded backslash), or (3) %255c (double-encoded backslash). **Recommendations** For SmarterMail version 7.1.3876, consider restricting access to the FileStorageUpload.ashx handler until a patch is available. As a temporary workaround, avoid using the `name` parameter in the affected API endpoint until the issue is resolved.