CVE-2007-2306

Name of the Vulnerable Software and Affected Versions Virtual War (VWar) versions 1.5.0 R15 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This is possible via the memberlist parameter to "extra/login.php" and the title parameter to "extra/today.php" when register globals is enabled.

Recommendations For Virtual War (VWar) versions 1.5.0 R15 and earlier, consider disabling the register globals setting to mitigate the risk of exploitation. As a temporary workaround, restrict access to the "extra/login.php" and "extra/today.php" scripts until a patch is available. Avoid using the memberlist and title parameters in the affected API endpoints until the issue is resolved.