CVE-2015-6010

Name of the Vulnerable Software and Affected Versions Web Reference Database (refbase) versions through 0.9.6 Web Reference Database (refbase) bleeding-edge versions before 2015-01-08

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via several parameters, including errorNo and errorMsg in the error.php endpoint "/error.php", viewType in the duplicate manager.php endpoint "/duplicate manager.php", and multiple parameters in the query manager.php endpoint "/query manager.php", such as queryAction, displayType, citeOrder, sqlQuery, showQuery, showLinks, showRows, and queryID. Additionally, the sourceText and sourceIDs parameters in the import.php endpoint "/import.php", and the typeName and fileName parameters in the modify.php endpoint "/modify.php" are also vulnerable.

Recommendations For Web Reference Database (refbase) versions through 0.9.6, update to a version after 0.9.6. For Web Reference Database (refbase) bleeding-edge versions before 2015-01-08, update to a version after 2015-01-08. As a temporary workaround, consider restricting access to the vulnerable endpoints, such as "/error.php", "/duplicate manager.php", "/query manager.php", "/import.php", and "/modify.php", until a patch is available. Avoid using the vulnerable parameters, such as errorNo, errorMsg, viewType, queryAction, displayType, citeOrder, sqlQuery, showQuery, showLinks, showRows, queryID, sourceText, sourceIDs, typeName, and fileName, in the affected endpoints until the issue is resolved.