CVE-2011-1714

Name of the Vulnerable Software and Affected Versions QooxDoo versions 1.3 and possibly other versions eyeOS versions 2.2 and 2.3

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the callback parameter in the framework/source/resource/qx/test/jsonp primitive.php file. This could potentially lead to unauthorized actions on the affected web application.

Recommendations For QooxDoo version 1.3, consider restricting access to the framework/source/resource/qx/test/jsonp primitive.php file until a patch is available. For eyeOS versions 2.2 and 2.3, avoid using the callback parameter in the affected API endpoint until the issue is resolved. As a temporary workaround, consider disabling the jsonp primitive.php file in QooxDoo until a patch is available.