Tejesh Kolisetty

Name of the Vulnerable Software and Affected Versions: Open-AudIT Community version 2.2.0 Description: A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component. This is demonstrated by the `action` parameter in the "Discover -> Audit Scripts -> List Scripts -> Download" section. Recommendations: For Open-AudIT Community version 2.2.0, consider restricting access to the Discover -> Audit Scripts -> List Scripts -> Download section until a patch is available. As a temporary workaround, avoid using crafted component names in this section to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Open-AudIT Professional version 2.1.1 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a crafted name of a component. This is demonstrated in the Admin->Logs section with a `logs?logs.type=` URI and the Manage->Attributes section via the `Name (display)` field to the `attributes/create` URI. **Recommendations** For Open-AudIT Professional version 2.1.1, consider restricting access to the Admin->Logs and Manage->Attributes sections until a patch is available. As a temporary workaround, avoid using crafted names of components in these sections to minimize the risk of exploitation.