CVE-2014-5101

Name of the Vulnerable Software and Affected Versions WeBid version 1.1.1

Description The issue allows remote attackers to inject arbitrary web script or HTML via multiple parameters in actions to register.php and user login.php. The affected parameters include TPL name, TPL nick, TPL email, TPL year, TPL address, TPL city, TPL prov, TPL zip, TPL phone, TPL pp email, TPL authnet id, TPL authnet pass, TPL worldpay id, TPL toocheckout id, TPL moneybookers email, and username.

Recommendations For WeBid version 1.1.1, as a temporary workaround, consider restricting the input for the parameters TPL name, TPL nick, TPL email, TPL year, TPL address, TPL city, TPL prov, TPL zip, TPL phone, TPL pp email, TPL authnet id, TPL authnet pass, TPL worldpay id, TPL toocheckout id, TPL moneybookers email, and username in the "register.php" and "user login.php" files to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.