CVE-2012-6517

Name of the Vulnerable Software and Affected Versions DiY-CMS version 1.0

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the question parameter to /modules/poll/add.php or the question or answer parameters to /modules/poll/edit.php.

Recommendations For DiY-CMS version 1.0, avoid using the question parameter in the /modules/poll/add.php and /modules/poll/edit.php API endpoints, and the answer parameter in the /modules/poll/edit.php endpoint until a fix is available. Consider restricting access to these endpoints to minimize the risk of exploitation.