Tuando243

**Name of the Vulnerable Software and Affected Versions** BlogEngine version 3.3.8.0 **Description** A cross-site scripting (XSS) issue was found in the /blogengine/api/posts component, allowing attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the `Description` field. **Recommendations** For BlogEngine version 3.3.8.0, as a temporary workaround, consider restricting access to the /blogengine/api/posts endpoint until a patch is available. Avoid using the `Description` field in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Miniblog.Core version 1.0 **Description** The issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `Excerpt` field in the "/blog/edit" API endpoint. This enables the execution of malicious code on the client-side. **Recommendations** For Miniblog.Core version 1.0, consider disabling the editing functionality in the /blog/edit component until a patch is available to prevent exploitation of the XSS vulnerability. Restrict access to the Excerpt field to minimize the risk of malicious payload injection.

**Name of the Vulnerable Software and Affected Versions** Blogifier version 3.0 **Description** The issue allows attackers to execute arbitrary web scripts or HTML via a crafted file, exploiting an arbitrary file upload vulnerability at the `/api/storage/upload/PostImage` API endpoint. This enables attackers to potentially upload malicious files. **Recommendations** For Blogifier version 3.0, consider disabling the `/api/storage/upload/PostImage` API endpoint until a patch is available to prevent exploitation of the arbitrary file upload vulnerability. Restrict access to this endpoint to minimize the risk of uploading malicious files.

**Name of the Vulnerable Software and Affected Versions** PartKeepr version 1.4.0 **Description** A Cross Site Scripting issue exists via the `name` field in the "/api/part categories" API endpoint. **Recommendations** For PartKeepr version 1.4.0, as a temporary workaround, consider restricting access to the `/api/part categories` API endpoint until a patch is available. Avoid using the `name` field in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 4.4.5 **Description** There is a SQL Injection issue via the `PersonID` field in the "/churchcrm/WhyCameEditor.php" API endpoint. **Recommendations** For ChurchCRM version 4.4.5, as a temporary workaround, consider restricting access to the "/churchcrm/WhyCameEditor.php" endpoint until a patch is available. Avoid using the `PersonID` field in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Pixelimity version 1.0 **Description** A Remote Code Execution (RCE) issue exists due to the lack of input data sanitization. This allows a remote attacker to execute arbitrary code through the "admin/admin-ajax.php?action=install theme" endpoint. The estimated number of potentially affected devices and details about real-world incidents are not provided. **Recommendations** For Pixelimity version 1.0, as a temporary workaround, consider disabling access to the "admin/admin-ajax.php?action=install theme" endpoint until a patch is available. Restrict input data to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Pixelimity version 1.0 **Description** A stored cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via the `Title` field in the "admin/pages.php?action=add new" endpoint. This enables attackers to inject malicious code into the application. **Recommendations** For Pixelimity version 1.0, consider restricting access to the "admin/pages.php?action=add new" endpoint until a fix is available, and avoid using the `Title` field in this endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** Hospital Patient Record Management System version 1.0 **Description** A stored cross-site scripting (XSS) issue allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `special` field. This enables attackers to potentially steal user data or take control of user sessions. **Recommendations** For Hospital Patient Record Management System version 1.0, consider disabling the `special` field input until a patch is available to prevent exploitation. Restrict access to sensitive areas of the system to minimize the risk of arbitrary script execution. At the moment, there is no information about a newer version that contains a fix for this issue.