CVE-2006-3009

Name of the Vulnerable Software and Affected Versions Open Business Management (OBM) version 1.0.3 pl1

Description The issue allows remote attackers to inject arbitrary HTML or web script via several parameters, including tf lang, tf name, tf user, tf lastname, tf contact, tf datebefore, and tf dateafter, to various files such as "publication/publication index.php", "group/group index.php", "user/user index.php", "list/list index.php", and "company/company index.php".

Recommendations For Open Business Management (OBM) version 1.0.3 pl1, consider validating and sanitizing user input for the tf lang, tf name, tf user, tf lastname, tf contact, tf datebefore, and tf dateafter parameters to prevent arbitrary HTML or web script injection. As a temporary workaround, restrict access to the affected files, such as "publication/publication index.php", "group/group index.php", "user/user index.php", "list/list index.php", and "company/company index.php", until a patch is available.