CVE-2005-4138

Name of the Vulnerable Software and Affected Versions ThWboard versions prior to 3 Beta 2.84

Description The issue allows remote attackers to inject arbitrary web script or HTML via specific fields and parameters, including the Wohnort and Beruf fields in editprofile.php, the user parameter array in v profile.php, and the action parameter in misc.php. This can lead to cross-site scripting (XSS) attacks.

Recommendations For ThWboard versions prior to 3 Beta 2.84, update to version 3 Beta 2.84 or later to resolve the issue. As a temporary workaround, consider restricting access to the editprofile.php, v profile.php, and misc.php files until the update is applied. Additionally, restrict the use of the Wohnort and Beruf fields in editprofile.php, the user parameter array in v profile.php, and the action parameter in misc.php to minimize the risk of exploitation.