CVE-2013-1466

Name of the Vulnerable Software and Affected Versions glFusion versions prior to 1.2.2.pl4

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via various parameters, including subject in profiles.php, address1, address2, calendar type, city, state, title, url, or zipcode in calendar/index.php, title or url in links/index.php, or PATH INFO in admin/plugins/mediagallery/xppubwiz.php/.

Recommendations For versions prior to 1.2.2.pl4, update to version 1.2.2.pl4 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected parameters, such as subject, address1, address2, calendar type, city, state, title, url, zipcode, and PATH INFO, until a patch is applied. Avoid using these parameters in the affected API endpoints until the issue is resolved.