CVE-2006-6447

Name of the Vulnerable Software and Affected Versions Vt-Forum Lite versions 1.3 through 1.5

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the StrMes parameter in "vf info.asp" or possibly a URL in the SRC attribute of an IFRAME element submitted to "vf newtopic.asp".

Recommendations For versions 1.3 and 1.5, consider restricting access to the vf info.asp and vf newtopic.asp pages until a fix is available. As a temporary workaround, avoid using the StrMes parameter in the "vf info.asp" page. Restrict the submission of URLs in the SRC attribute of IFRAME elements to the "vf newtopic.asp" page to minimize the risk of exploitation.