CVE-2012-2910

Name of the Vulnerable Software and Affected Versions SiliSoftware phpThumb() version 1.7.11

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the dir parameter to "demo/phpThumb.demo.random.php" or the title parameter to "demo/phpThumb.demo.showpic.php".

Recommendations For version 1.7.11, consider disabling the phpThumb() function until a patch is available. Restrict access to the demo/phpThumb.demo.random.php and demo/phpThumb.demo.showpic.php scripts to minimize the risk of exploitation. Avoid using the dir and title parameters in the affected scripts until the issue is resolved.