CVE-2007-6659

Name of the Vulnerable Software and Affected Versions 2z project version 0.9.6.1

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including contentshort and contentfull in an addnews action, content in a pm write action to 2z/admin.php, referer to templates/default/usermenu.tpl, and newavatar or newphoto in a profile action.

Recommendations For version 0.9.6.1, consider restricting access to the addnews action and the pm write action to 2z/admin.php until a patch is available. As a temporary workaround, avoid using the contentshort, contentfull, content, referer, newavatar, and newphoto parameters in the affected API endpoints. Restrict access to the vulnerable templates/default/usermenu.tpl to minimize the risk of exploitation.