CVE-2015-1575

Name of the Vulnerable Software and Affected Versions u5CMS versions prior to 3.9.4

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters to different PHP files. The affected parameters include c, i, l, p to index.php, a or b to u5admin/cookie.php, name to copy.php or delete.php in u5admin/, f or typ to u5admin/deletefile.php, n to u5admin/done.php, c to u5admin/editor.php, uri to u5admin/meta2.php, n to u5admin/notdone.php, newname to u5admin/rename2.php, l to u5admin/sendfile.php, s to u5admin/characters.php, page to u5admin/savepage.php, or name to u5admin/new2.php.

Recommendations As a temporary workaround, consider restricting access to the affected PHP files until a patch is available. Update to version 3.9.4 or later to resolve the issue.