CVE-2013-7194

Name of the Vulnerable Software and Affected Versions eFront version 3.6.14 (build 18012)

Description The issue allows remote authenticated administrators to inject arbitrary web script or HTML via the Last name, Lesson name, or Course name field in the www/administrator.php file. This can be exploited by injecting malicious code through these fields.

Recommendations For eFront version 3.6.14 (build 18012), as a temporary workaround, consider restricting access to the www/administrator.php file until a patch is available. Avoid using the Last name, Lesson name, or Course name fields in this file until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.