CVE-2012-3872

Name of the Vulnerable Software and Affected Versions Open Constructor version 3.12.0

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via several parameters, including the result parameter to "data/file/edit.php", the q parameter to "confirm.php", or the keyword parameter to "users/users.php".

Recommendations For Open Constructor version 3.12.0, update to a version that fixes these XSS vulnerabilities. As a temporary workaround, consider restricting access to the affected API endpoints, such as "data/file/edit.php", "confirm.php", and "users/users.php", to minimize the risk of exploitation. Avoid using the result, q, and keyword parameters in these endpoints until the issue is resolved.