Sudonoodle

Name of the Vulnerable Software and Affected Versions: Concerto versions through 2.3.6 Description: The issue allows an unauthenticated remote attacker to introduce arbitrary JavaScript by injecting an XSS payload into the `First Name` or `Last Name` parameter upon registration. When a privileged user attempts to delete the account, the XSS payload will be executed. Recommendations: For versions through 2.3.6, as a temporary workaround, consider restricting access to the registration feature to minimize the risk of exploitation. Avoid using the `First Name` and `Last Name` parameters in the affected registration endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.