Stefano Lanaro

**Name of the Vulnerable Software and Affected Versions** Hyland org.alfresco:alfresco-content-services versions through 7.0.1.2 **Description** An issue allows executing scripts uploaded outside of the Data Dictionary, potentially enabling a logged-in attacker to execute arbitrary code inside a sandboxed environment. **Recommendations** For versions through 7.0.1.2, consider restricting script execution to only those uploaded within the Data Dictionary as a temporary mitigation measure. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** org.alfresco:share versions through 7.0.0.2 org.alfresco:community-share versions through 7.0 **Description** The issue is related to an evasion of the XSS filter for HTML input validation in the Alfresco Share User Interface, leading to stored XSS. This could be exploited by an attacker with privileges on the content collaboration features. **Recommendations** For org.alfresco:share versions through 7.0.0.2, update to a version that fixes the evasion of the XSS filter. For org.alfresco:community-share versions through 7.0, update to a version that fixes the evasion of the XSS filter. As a temporary workaround, consider restricting access to the Alfresco Share User Interface to minimize the risk of exploitation.