CVE-2012-4278

Name of the Vulnerable Software and Affected Versions Free Realty versions 3.1-0.6

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via several parameters, including notes to "admin/agenteditor.php", title, previewdesc, fulldesc, or notes to "agentadmin.php", or in an "addlisting" action to "agentadmin.php". Additionally, there are unspecified vectors to "admin/adminfeatures.php".

Recommendations For Free Realty versions 3.1-0.6, as a temporary workaround, consider restricting access to the vulnerable parameters notes, title, previewdesc, fulldesc in the affected API endpoints until a patch is available. Avoid using these parameters in "admin/agenteditor.php", "agentadmin.php", or "admin/adminfeatures.php" to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.