CVE-2006-1033

Name of the Vulnerable Software and Affected Versions Dragonfly CMS versions prior to 9.0.6.1

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters in different modules, including the Your Account, News, Stories Archive, Web Links, Surveys, Downloads, and coppermine modules, as well as the search box in several modules. The vulnerable parameters include uname, error, profile, username, catid, sid, Story Text, Extended text, month, year, sa, show, cid, ratetype, orderby, op, pollid, c, meta, and album.

Recommendations For Dragonfly CMS versions prior to 9.0.6.1, update to version 9.0.6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable modules and parameters until a patch is applied. Avoid using the vulnerable parameters in the affected modules until the issue is resolved.