CVE-2017-5990

Name of the Vulnerable Software and Affected Versions PhreeBooksERP versions prior to 2017-02-13

Description The issue exists due to insufficient filtration of user-supplied data in the form HTTP GET parameter passed to the "PhreeBooksERP-master/extensions/ShippingMethods/ups/label mgr/js include.php" and "PhreeBooksERP-master/extensions/ShippingMethods/yrc/label mgr/js include.php" URLs. This allows an attacker to execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

Recommendations For versions prior to 2017-02-13, as a temporary workaround, consider restricting access to the js include.php files in the affected URLs until a patch is available. Avoid using the form parameter in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.