Zhouxingixngo

**Name of the Vulnerable Software and Affected Versions** CmsEasy version 7.0 **Description** The issue is related to a Cross-Site Scripting (XSS) problem. It occurs via the `url` parameter in the `ckplayer.php` API endpoint. **Recommendations** For CmsEasy version 7.0, consider restricting access to the `ckplayer.php` endpoint until a patch is available. As a temporary workaround, avoid using the `url` parameter in the `ckplayer.php` endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** CmsEasy version 7.0 **Description** The issue is related to a Cross-Site Scripting (XSS) problem. It occurs via the `autoplay` parameter in the `ckplayer.php` file. **Recommendations** For CmsEasy version 7.0, consider restricting access to the `ckplayer.php` file or disabling the `autoplay` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PHPMyWind version 5.5 **Description** The issue is related to an XSS vulnerability via the HTTP Host header in the admin/default.php file. **Recommendations** For PHPMyWind version 5.5, update the software to a version that includes a fix for this issue, or as a temporary workaround, consider validating and sanitizing the HTTP Host header to prevent XSS attacks.

**Name of the Vulnerable Software and Affected Versions** YUNUCMS version 1.1.8 **Description** The issue allows for XSS due to crafted data being written to the sys.php file. This can be demonstrated by modifying the `site title` in an admin/system/basic POST request to "/admin/system/basic". **Recommendations** For YUNUCMS version 1.1.8, consider restricting access to the vulnerable `System.php` controller until a patch is available. Avoid using the `site title` variable in the affected API endpoint until the issue is resolved.