CVE-2011-5214

Name of the Vulnerable Software and Affected Versions BrowserCRM versions 5.100.01 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the PATH INFO to several API endpoints, such as "index.php", "modules/admin/admin module index.php", or "modules/calendar/customise calendar times.php". Additionally, attackers can exploit the login[] parameter in "index.php" or "pub/clients.php", or the framed parameter in "licence/index.php" or "licence/view.php".

Recommendations For BrowserCRM versions 5.100.01 and earlier, update to a version later than 5.100.01 to resolve the issue.