CVE-2014-1877

Name of the Vulnerable Software and Affected Versions Dokeos version 2.1.1

Description The issue allows remote attackers to inject arbitrary web script or HTML via several fields, including the Phone, Street, Address line, Zip code, or City field to "main/auth/profile.php", the Subject field to "main/social/groups.php", or the Message body field to "main/messages/view message.php".

Recommendations For Dokeos version 2.1.1, as a temporary workaround, consider validating and sanitizing user input for the Phone, Street, Address line, Zip code, City, Subject, and Message body fields to prevent injection of malicious scripts. Restrict access to the "main/auth/profile.php", "main/social/groups.php", and "main/messages/view message.php" endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.