Tarek Awadallah

**Name of the Vulnerable Software and Affected Versions** PONTON X/P Messenger versions prior to 3.11.2 **Description** An issue was discovered in several functions, which are vulnerable to reflected XSS. This is demonstrated by various API endpoints, such as "private/index.jsp?partners/ShowNonLocalPartners.do?localID=", "private/index.jsp", "private/index.jsp?database/databaseTab.jsp", "private/index.jsp?activation/activationMainTab.jsp", "private/index.jsp?communication/serverTab.jsp", and "private/index.jsp?emailNotification/notificationTab.jsp". **Recommendations** For versions prior to 3.11.2, update to version 3.11.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available. Avoid using the vulnerable functions in the affected API endpoints until the issue is resolved.