T-Podo

**Name of the Vulnerable Software and Affected Versions** zrlog version 2.1.3 **Description** The issue allows a remote attacker to execute arbitrary code via the `nickame` parameter of the "/post/addComment" API endpoint. This enables the attacker to perform actions such as injecting malicious scripts. **Recommendations** For zrlog version 2.1.3, consider disabling the `/post/addComment` function until a patch is available to prevent exploitation via the `nickame` parameter. Restrict access to this function to minimize the risk of arbitrary code execution.

Name of the Vulnerable Software and Affected Versions: ZrLog version 2.1.3 Description: A Cross-site scripting (XSS) vulnerability exists in the comment section, which allows remote attackers to inject arbitrary web script and steal administrator cookies via the `nickname` parameter, gaining access to the admin panel. Recommendations: For ZrLog version 2.1.3, consider disabling the comment section or restricting access to it until a patch is available to prevent exploitation of the XSS vulnerability. Avoid using the `nickname` parameter in the comment section until the issue is resolved.