CVE-2021-3340

Name of the Vulnerable Software and Affected Versions Wikindx versions prior to 5.7.0 Wikindx versions 6.x through 6.4.0

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the message parameter to "index.php?action=initLogon" or "modules/admin/DELETEIMAGES.php".

Recommendations For versions prior to 5.7.0, update to version 5.7.0 or later. For versions 6.x through 6.4.0, update to a version later than 6.4.0. As a temporary workaround, consider restricting access to the "index.php?action=initLogon" and "modules/admin/DELETEIMAGES.php" endpoints until a patch is available. Avoid using the message parameter in the affected API endpoints until the issue is resolved.