Suncsr

**Name of the Vulnerable Software and Affected Versions** Orchard Core version RC1 **Description** Orchard Core RC1 has a persistent cross-site scripting issue. Remote attackers can inject malicious scripts by creating blog posts. The vulnerability allows execution of arbitrary scripts in victim browsers through the `MarkdownBodyPart.Source` parameter when creating blog posts with embedded JavaScript. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion version 9.03.50 **Description** A SQL injection issue affects the "administration/comments.php" endpoint via the `ctype` parameter. **Recommendations** For PHP-Fusion version 9.03.50, avoid using the `ctype` parameter in the affected endpoint until the issue is resolved. Consider restricting access to the administration/comments.php endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHP-Fusion version 9.03.50 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `go` parameter to "faq/faq admin.php" or "shoutbox panel/shoutbox admin.php" API endpoints. This can lead to cross-site scripting attacks. **Recommendations** For PHP-Fusion version 9.03.50, as a temporary workaround, consider restricting access to the "faq/faq admin.php" and "shoutbox panel/shoutbox admin.php" API endpoints to minimize the risk of exploitation. Avoid using the `go` parameter in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.