openCRX 5.2.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Name field after creation of a Tracker in Manage Activity.

Concrete CMS 9 before 9.2.3 is vulnerable to Cross Site Request Forgery (CSRF) via /ccm/system/dialogs/logs/delete_all/submit. An attacker can force an admin user to delete server report logs on a web application to which they are currently authenticated.

OpenCRX version 5.2.0 is vulnerable to HTML injection via the Product Configuration Name Field.

OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Milestone Name Field.

OpenCRX version 5.2.0 is vulnerable to HTML injection via the Category Creation Name Field.

OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Name Field.

OpenCRX version 5.2.0 is vulnerable to HTML injection via Activity Saved Search Creation.

OpenCRX version 5.2.0 is vulnerable to HTML injection via the Accounts Group Name Field.

OpenCRX version 5.2.0 is vulnerable to HTML injection via Product Name Field.

OpenCRX version 5.2.0 is vulnerable to HTML injection via the Activity Search Criteria-Activity Number.