CVE-2007-5727

Name of the Vulnerable Software and Affected Versions OneOrZero Helpdesk versions 1.6.4.2 through 1.6.5.4

Description The issue allows remote attackers to conduct cross-site scripting (XSS) attacks by injecting arbitrary web script or HTML via XSS sequences without SCRIPT tags in the description parameter to (1) "tcreate.php" or (2) "tupdate.php". This can be achieved using events such as onmouseover in a b tag.

Recommendations For OneOrZero Helpdesk versions 1.6.4.2 through 1.6.5.4, consider disabling the stripScripts function in common.php until a patch is available, and restrict access to the "tcreate.php" and "tupdate.php" endpoints to minimize the risk of exploitation. Avoid using the description parameter in these endpoints until the issue is resolved.