CVE-2009-4786

Name of the Vulnerable Software and Affected Versions Pligg versions prior to 1.0.3

Description The issue allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to various API endpoints, including "admin/admin config.php", "admin/admin modules.php", "delete.php", "editlink.php", "submit.php", "submit groups.php", "user add remove links.php", and "user settings.php". This can lead to cross-site scripting (XSS) attacks.

Recommendations For Pligg versions prior to 1.0.3, update to version 1.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the mentioned API endpoints until the update is applied. Avoid using the HTTP Referer header in these endpoints until the issue is resolved.