CVE-2008-0980

Name of the Vulnerable Software and Affected Versions Spyce - Python Server Pages (PSP) version 2.1.3

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved through various parameters in different API endpoints, including: the url or type parameter to "docs/examples/redirect.spy"; the x parameter to "docs/examples/handlervalidate.spy"; the name parameter to "spyce/examples/request.spy"; the Name parameter to "spyce/examples/getpost.spy"; the mytextarea, mypass, or an empty parameter to "spyce/examples/formtag.spy"; the newline parameter to the default URI under "demos/chat/"; the text1 parameter to "docs/examples/formintro.spy"; or the mytext or mydate parameter to "docs/examples/formtag.spy".

Recommendations For Spyce - Python Server Pages (PSP) version 2.1.3, consider disabling the affected API endpoints until a patch is available. Restrict access to the parameters url, type, x, name, Name, mytextarea, mypass, newline, text1, mytext, and mydate in their respective endpoints to minimize the risk of exploitation. Avoid using these parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.