CVE-2009-2920

Name of the Vulnerable Software and Affected Versions: Elvin version 1.2.2

Description: The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the component and priority parameters to the "buglist.php" endpoint, and the Username, E-mail, Pass, and Confirm pass fields to the "createaccount.php" endpoint.

Recommendations: For Elvin version 1.2.2, as a temporary workaround, consider restricting access to the "buglist.php" and "createaccount.php" endpoints until a patch is available. Avoid using the component and priority parameters in the "buglist.php" endpoint, and the Username, E-mail, Pass, and Confirm pass fields in the "createaccount.php" endpoint until the issue is resolved.