CVE-2006-3089

Name of the Vulnerable Software and Affected Versions PhpMyFactures versions 1.0 through 1.2

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters in different API endpoints, including prefixe dossier in "/inc/header.php", msg in "/remises/ajouter remise.php", "/tva/ajouter tva.php", "/stocks/ajouter.php", "/pays/ajouter pays.php", "/produits/ajouter cat.php", "/produits/ajouter produit.php", and "/produits/modifier cat.php", tire in "/remises/ajouter remise.php", quantite, taux, and date in "/stocks/ajouter.php", and pays and prefixe in "/pays/ajouter pays.php".

Recommendations For PhpMyFactures versions 1.0 through 1.2, consider disabling the parameters prefixe dossier, msg, tire, quantite, taux, date, pays, and prefixe in the respective API endpoints until a patch is available. Restrict access to the affected endpoints to minimize the risk of exploitation.