CVE-2007-5072

Name of the Vulnerable Software and Affected Versions SPHPBlog versions prior to 0.5.1

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via certain user colors array parameters to specific user style.php files under the themes/ directory. This is particularly problematic when register globals is enabled. An example of a vulnerable parameter is user colors[bg color].

Recommendations For versions prior to 0.5.1, update to version 0.5.1 or later to resolve the issue. As a temporary workaround, consider disabling the register globals setting to minimize the risk of exploitation. Restrict access to the user style.php files under the themes/ directory to minimize the risk of exploitation. Avoid using the user colors array parameters in the affected API endpoints until the issue is resolved.