CVE-2013-4753

Name of the Vulnerable Software and Affected Versions Claroline versions 1.11.9 and earlier

Description The issue allows remote authenticated users to inject arbitrary web script or HTML via specific fields, including the Search field in an inbox action to "messaging/messagebox.php", the "First name" field to "auth/profile.php", or the Speakers field in an rqAdd action to "calendar/agenda.php".

Recommendations For Claroline versions 1.11.9 and earlier, consider disabling access to the vulnerable fields, such as the Search field in messaging/messagebox.php, the "First name" field in auth/profile.php, and the Speakers field in calendar/agenda.php, until a fix is available. Restrict access to the messaging/messagebox.php, auth/profile.php, and calendar/agenda.php files to minimize the risk of exploitation. Avoid using the affected fields in the specified PHP files until the issue is resolved.