Zorun

**Name of the Vulnerable Software and Affected Versions** sileht bird-lg (affected versions not specified) **Description** A problematic issue has been found in the processing of the file templates/layout.html, where the manipulation of the `request args` argument leads to cross-site scripting. The attack can be initiated remotely. **Recommendations** To fix this issue, it is recommended to apply a patch with the name ef6b32c527478fefe7a4436e10b96ee28ed5b308. As a temporary workaround, consider restricting the manipulation of the `request args` argument to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** I Hate Money versions prior to 4.1.5 **Description** An authenticated member of one project can modify and delete members of another project, without knowledge of this other project's private code. This can be further exploited to access all bills of another project without knowledge of this other project's private code. With the default configuration, anybody is allowed to create a new project, making it trivial for an attacker to become authenticated and exploit this flaw. The issue can be exploited through API endpoints such as "PUT /api/projects/<project>/members/<personID>" and "DELETE /api/projects/<project>/members/<personID>", as well as through the web interface at "/<project>/members/<personID>/edit". **Recommendations** To fix the issue, update to version 4.1.5. As a temporary workaround, consider setting `ALLOW PUBLIC PROJECT CREATION = False` in the configuration to limit the impact, although existing users will still be able to exploit the flaw.