CVE-2009-2006

Name of the Vulnerable Software and Affected Versions: Dokeos versions 1.8.5 and earlier

Description: The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including the search term parameter to "main/auth/courses.php", the frm title and frm content parameters in a new personal agenda item action, the title and tutor name parameters in a new course action, and the student and course parameters to "main/mySpace/myStudents.php".

Recommendations: For Dokeos versions 1.8.5 and earlier, as a temporary workaround, consider restricting access to the affected parameters, such as search term, frm title, frm content, title, tutor name, student, and course, until a patch is available. Avoid using these parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.