CVE-2007-0146

Name of the Vulnerable Software and Affected Versions Fix and Chips CMS version 1.0

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via various form fields and parameters. The affected parameters and fields include the id parameter in delete-announce.php, the Announcement form field in staff.php, and multiple form fields in new customer.php, such as Client Name, Business Name, Street, Address 2, Town/City, Postcode, Phone Number, Email Address, and Website Address. Additionally, unspecified fields in search.php and client-results.php are vulnerable.

Recommendations For Fix and Chips CMS version 1.0, consider disabling the affected parameters and form fields, such as the id parameter in delete-announce.php, the Announcement form field in staff.php, and the specified form fields in new customer.php, until a patch is available. Restrict access to the vulnerable scripts search.php and client-results.php to minimize the risk of exploitation. Avoid using the vulnerable form fields in new customer.php until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.