CVE-2009-4842

Name of the Vulnerable Software and Affected Versions ToutVirtual VirtualIQ Pro version 3.5 build 8691

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via several parameters in different API endpoints, including addNewDept, deptId, deptDesc in the /tvserver/server/user/addDepartment.jsp endpoint, or firstName, lastName, email in a save action to the /tvserver/user/user.do endpoint.

Recommendations For ToutVirtual VirtualIQ Pro version 3.5 build 8691, consider restricting access to the vulnerable API endpoints, such as /tvserver/server/user/addDepartment.jsp and /tvserver/user/user.do, until a patch is available. As a temporary workaround, avoid using the parameters addNewDept, deptId, deptDesc, firstName, lastName, email in the affected endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.