T3L3Sc0P3

**Name of the Vulnerable Software and Affected Versions** Press (affected versions not specified) **Description** Press, a Frappe custom app used for managing infrastructure, subscriptions, marketplace, and software-as-a-service (SaaS), contains a flaw in the 'press.api.account.create api secret' endpoint. This endpoint allows database writes and is accessible via the GET method, making it susceptible to Cross-Site Request Forgery (CSRF) style exploits, where an attacker could trick a user into performing unintended actions. **Recommendations** Restrict the 'press.api.account.create api secret' endpoint to only allow POST requests.

**Name of the Vulnerable Software and Affected Versions** Press (affected versions not specified) **Description** Press is a Frappe custom app used for managing infrastructure, subscriptions, marketplace, and software-as-a-service (SaaS) on Frappe Cloud. The redirect parameter on the login page is susceptible to reflected Cross-Site Scripting (XSS), a flaw where an application includes untrusted data in a web page without proper validation, allowing an attacker to execute scripts in the victim's browser. **Recommendations** Restrict redirects to internal URLs only to prevent the execution of malicious scripts via the redirect parameter.

**Name of the Vulnerable Software and Affected Versions** Discourse versions prior to the latest version **Description** Discourse is an open source platform for community discussion. In affected versions, an attacker can trick a target user to make changes to their own username via a carefully crafted link using the `activate-account` route. **Recommendations** For versions prior to the latest version, update to the latest version of Discourse to resolve the issue. As a temporary workaround, consider restricting access to the `activate-account` route until the update is applied.