CVE-2011-4920

Name of the Vulnerable Software and Affected Versions e107 versions 0.7.26 through 0.9.x and other versions prior to 1.0.0

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the URL to "e107 images/thumb.php" or "rate.php", the resend name parameter to "e107 admin/users.php", and the link BBCode in user signatures.

Recommendations For versions 0.7.26 through 0.9.x and other versions prior to 1.0.0, update to version 1.0.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "e107 images/thumb.php" and "rate.php" scripts, and avoid using the resend name parameter in "e107 admin/users.php" until a patch is available. Restrict the use of link BBCode in user signatures to minimize the risk of exploitation.