CVE-2008-3758

Name of the Vulnerable Software and Affected Versions Lussumo Vanilla versions 1.1.4 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via the NewPassword parameter to "people.php". Additionally, remote authenticated users can inject arbitrary web script or HTML via the Account picture and Icon fields in "account.php".

Recommendations For versions 1.1.4 and earlier, update to a version that addresses these issues, ensuring that the NewPassword parameter in "people.php" and the Account picture and Icon fields in "account.php" are properly sanitized to prevent arbitrary web script or HTML injection. As a temporary workaround, consider restricting access to the "people.php" and "account.php" pages until a patch is available.