CVE-2012-1000

Name of the Vulnerable Software and Affected Versions LEPTON versions prior to 1.1.4

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via the message parameter to "admins/login/forgot/index.php", or the display name or email parameters to "account/preferences.php".

Recommendations For LEPTON versions prior to 1.1.4, update to version 1.1.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the "admins/login/forgot/index.php" and "account/preferences.php" pages until the update is applied. Avoid using the message, display name, and email parameters in the affected pages until the issue is resolved.