CVE-2007-2600

Name of the Vulnerable Software and Affected Versions TutorialCMS versions 1.00 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the catFile parameter to "browseCat.php" or "browseSubCat.php", the id parameter to "openTutorial.php", "topFrame.php", or "admin/editListing.php", or the search parameter to "search.php".

Recommendations For TutorialCMS versions 1.00 and earlier, update to a version later than 1.00 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable parameters catFile, id, and search in the affected API endpoints until a patch is available. Avoid using the parameters catFile and id in the affected PHP files until the issue is resolved. Restrict access to the vulnerable PHP files "browseCat.php", "browseSubCat.php", "openTutorial.php", "topFrame.php", "admin/editListing.php", and "search.php" to minimize the risk of exploitation.