CVE-2014-9101

Name of the Vulnerable Software and Affected Versions Oxwall versions 1.7.0 (build 7907 and 7906) SkaDate Lite version 2.0 (build 7651)

Description The issue allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks or possibly have other unspecified impact. This can be achieved via several parameters, including the label parameter to "admin/users/roles/", lang[1][base][questions account type 5615100a931845eca8da20cfdf7327e0] in an AddAccountType action, qst name parameter in an addQuestion action to "admin/questions/ajax-responder/", or the form name or restrictedUsername parameter to "admin/restricted-usernames".

Recommendations For Oxwall version 1.7.0 (build 7907 and 7906), consider disabling the admin/users/roles/, AddAccountType, addQuestion, and admin/restricted-usernames actions until a patch is available. For SkaDate Lite version 2.0 (build 7651), restrict access to the admin/questions/ajax-responder/ and admin/restricted-usernames endpoints to minimize the risk of exploitation. Avoid using the label, lang[1][base][questions account type 5615100a931845eca8da20cfdf7327e0], qst name, form name, and restrictedUsername parameters in the affected API endpoints until the issue is resolved.