CVE-2010-4607

Name of the Vulnerable Software and Affected Versions Habari version 0.6.5

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can occur through the additem form parameter to "system/admin/dash additem.php" and the status data[] parameter to "system/admin/dash status.php", but only when register globals is enabled.

Recommendations For Habari version 0.6.5, consider disabling the register globals setting to mitigate the risk of exploitation. Additionally, restrict access to the "system/admin/dash additem.php" and "system/admin/dash status.php" endpoints to minimize the risk of XSS attacks. Avoid using the additem form and status data[] parameters in these endpoints until the issue is resolved.