CVE-2006-3494

Name of the Vulnerable Software and Affected Versions Buddy Zone version 1.0.1

Description The issue allows remote attackers to inject arbitrary HTML and web script. This can be achieved via several parameters, including the cat id parameter to "view classifieds.php", the id parameter in "view ad.php", the event id parameter in "view event.php", "delete event.php", and "edit event.php", and the group id in "view group.php".

Recommendations For Buddy Zone version 1.0.1, consider restricting access to the vulnerable parameters cat id, id, event id, and group id in the respective API endpoints until a patch is available. As a temporary workaround, avoid using these parameters in the affected endpoints.