CVE-2011-3835

Name of the Vulnerable Software and Affected Versions Wuzly version 2.0

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters and headers, including the Referer header to admin/login.php and admin/404.php, the q parameter to search.php, the theme name parameter to theme settings.php, the extension name parameter to extension settings.php, the type parameter to comments.php, the sort parameter to pages.php and posts.php, and the type and q parameters to media.php in admin/. Other affected parameters include the sidebar parameter to add widget.php and widgets.php, the id parameter to category delete.php, comment.php, page delete.php, and post delete.php, the type parameter to media.php, and the id and sidebar parameters to widget delete.php in mobile/. Additionally, the name, email, website, and comment parameters to index.php, and the username parameter to admin/login.php are affected.

Recommendations For Wuzly version 2.0, as a temporary workaround, consider restricting access to the affected API endpoints, such as "admin/login.php" and "admin/404.php", and parameters, including q, theme name, extension name, type, sort, sidebar, id, name, email, website, comment, and username, until a patch is available. Restricting user input for these parameters can help minimize the risk of exploitation.