CVE-2010-3023

Name of the Vulnerable Software and Affected Versions DiamondList versions 0.1.6 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the category[description] parameter to the "user/main/update category" endpoint, which is not properly handled by the app/views/categories/index.html.erb file. Additionally, the setting[site title] parameter to the "user/main/update settings" endpoint is not properly handled by the app/views/settings/ list settings.rhtml file.

Recommendations For DiamondList versions 0.1.6 and earlier, ensure that the category[description] and setting[site title] parameters are properly sanitized to prevent arbitrary web script or HTML injection. As a temporary workaround, consider restricting access to the "user/main/update category" and "user/main/update settings" endpoints until a proper fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.