Xproxyx

Name of the Vulnerable Software and Affected Versions: InstantCMS versions through 2.17.3 Description: InstantCMS is a free and open source content management system. A blind Server-Side Request Forgery (SSRF) vulnerability exists that allows authenticated remote attackers to make arbitrary HTTP/HTTPS requests via the `package` parameter. This is possible within the installer functionality. Exploitation can lead to scanning the local network, calling local services and their functions, conducting a Denial-of-Service (DoS) attack, and disclosing a server's real IP address if it is behind a reverse proxy. It is also possible to exhaust server resources by sending numerous requests. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: NamelessMC versions prior to 2.2.3 Description: NamelessMC is a website software for Minecraft servers. A cross-site scripting (XSS) issue exists in the dashboard text editor component, potentially allowing remote authenticated attackers to inject arbitrary web script or HTML. Recommendations: Update to version 2.2.4 or later.

Name of the Vulnerable Software and Affected Versions: NamelessMC versions prior to 2.2.4 Description: NamelessMC is a website software for Minecraft servers. A sensitive information disclosure issue exists in versions prior to 2.2.4, allowing an unauthenticated remote attacker to gain sensitive information, such as the absolute path of the source code, via the `list` parameter. Recommendations: Update to version 2.2.4 or later.

Name of the Vulnerable Software and Affected Versions: NamelessMC versions prior to 2.2.4 Description: NamelessMC is a website software for Minecraft servers. A cross-site scripting (XSS) issue exists in NamelessMC before version 2.2.4, allowing authenticated attackers to inject arbitrary web script or HTML via the `default keywords` parameter. Recommendations: Update NamelessMC to version 2.2.4 or later.

**Name of the Vulnerable Software and Affected Versions** Emlog versions through 2.5.17 **Description** Emlog is a website building system susceptible to a cross-site scripting (XSS) issue. Insufficient sanitization of the `keyword` parameter allows remote attackers to inject arbitrary web scripts or HTML. Successful exploitation requires a user to click a specially crafted link, enabling the execution of JavaScript code in the administrator's browser. **Recommendations** Versions prior to 2.5.17 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Emlog versions up to and including 2.5.17 **Description** Emlog is an open source website building system susceptible to a cross-site scripting (XSS) issue. A malicious actor with authentication can inject arbitrary web script or HTML via the `siteurl` parameter, leading to Stored XSS. Clicking a link containing the malicious code results in its execution. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Emlog versions through 2.5.17 **Description** Emlog is a website building system. A cross-site scripting (XSS) issue exists that allows authenticated remote attackers to inject arbitrary web script or HTML via the file upload functionality. Specifically, an attacker can upload an SVG file containing JavaScript code, which is then executed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Emlog versions through 2.5.17 **Description** Emlog is a website building system. A cross-site scripting (XSS) issue exists in versions up to and including 2.5.17, allowing remote attackers to inject arbitrary web script or HTML via the `comment` and `comname` parameters. The reflected XSS requires the victim to send POST requests. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.