CVE-2006-0800

Name of the Vulnerable Software and Affected Versions PostNuke versions 0.761 and earlier

Description The issue allows remote attackers to conduct cross-site scripting (XSS) attacks via HTML tags with a trailing "<" character. This character is interpreted as a ">" character by some web browsers but bypasses the blacklist protection in certain functions, including the pnVarCleanFromInput function in pnAPI.php, the pnSecureInput function in pnAntiCracker.php, and the htmltext parameter in an edituser operation to user.php.

Recommendations For PostNuke versions 0.761 and earlier, consider disabling the pnVarCleanFromInput function, the pnSecureInput function, and restricting access to the htmltext parameter in the edituser operation to user.php until a patch is available. Avoid using HTML tags with a trailing "<" character in the affected functions and parameters to minimize the risk of exploitation.