CVE-2008-7092

Name of the Vulnerable Software and Affected Versions Unica Affinium Campaign version 7.2.1.0.55

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters in different actions and web pages, including url, PageName, and title parameters in a CustomBookMarkLink action, displayIcon parameter in the templates web page, crafted input to the listener server, and several id and other parameters in various actions and web pages. This can be achieved through Javascript events and crafted input.

Recommendations For Unica Affinium Campaign version 7.2.1.0.55, consider disabling the CustomBookMarkLink action and restricting access to the templates web page until a patch is available. Avoid using the url, PageName, title, displayIcon, id, function, sessionID, Frame, and affiniumUserName parameters in the affected actions and web pages until the issue is resolved. Restrict access to the listener server and the affected web pages to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.