Stefan Friedli

**Name of the Vulnerable Software and Affected Versions** ManageEngine Password Manager Pro (PMP) versions prior to 6.1 Build 6104 **Description** The issue concerns a flaw in the cross-site scripting (XSS) protection mechanism. This flaw allows remote attackers to inject arbitrary web script or HTML via the `searchtext` parameter and other unspecified inputs, due to the use of case-sensitive checks for malicious inputs. **Recommendations** For versions prior to 6.1 Build 6104, update to version 6.1 Build 6104 or later to resolve the issue. As a temporary workaround, consider restricting access to the `searchtext` parameter in the affected API endpoint until a patch is available.

**Name of the Vulnerable Software and Affected Versions** TKS Banking Solutions ePortfolio version 1.0 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, bypassing the client-side protection scheme. One potential vector may be related to the `q` parameter in the search program. **Recommendations** For TKS Banking Solutions ePortfolio version 1.0, consider restricting access to the search program until a fix is available. Avoid using the `q` parameter in the search program to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.