CVE-2009-2219

Name of the Vulnerable Software and Affected Versions phpCollegeExchange version 0.1.5c

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via the SESSION[handle] parameter to various PHP files, including home.php, books/allbooks.php, or books/home.php, or through the home parameter to files such as i head.php, i nav.php, allbooks.php, home.php, or i nav.php in the books/ directory. API Endpoints and variables involved include:

Recommendations For phpCollegeExchange version 0.1.5c, as a temporary workaround, consider validating and sanitizing the SESSION[handle] and home parameters to prevent injection of malicious scripts. Restrict access to the affected PHP files until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.