CVE-2007-6494

Name of the Vulnerable Software and Affected Versions Hosting Controller versions 6.1 Hot fix 3.3 and earlier

Description The issue allows remote attackers to obtain login access. This can be achieved via a request to "hosting/addreseller.asp" with a reseller parameter set to a username, followed by a request to "AdminSettings/displays.asp" with the DecideAction and ChangeSkin parameters.

Recommendations For Hosting Controller versions 6.1 Hot fix 3.3 and earlier, as a temporary workaround, consider restricting access to the "hosting/addreseller.asp" and "AdminSettings/displays.asp" endpoints until a patch is available. Avoid using the reseller parameter in the "hosting/addreseller.asp" endpoint, and the DecideAction and ChangeSkin parameters in the "AdminSettings/displays.asp" endpoint, to minimize the risk of exploitation.