CVE-2017-7242

Name of the Vulnerable Software and Affected Versions SLiMS 7 Cendana versions prior to 2017-03-23

Description Multiple Cross-Site Scripting (XSS) issues were found in the admin/modules components. The keywords parameter in several PHP files is vulnerable, including "bibliography/checkout item.php", "bibliography/dl print.php", "bibliography/item.php", "bibliography/item barcode generator.php", "bibliography/printed card.php", "circulation/loan rules.php", "master file/author.php", "master file/coll type.php", and "master file/doc language.php". Additionally, the quickReturnID field in "circulation/ajax action.php" is affected.

Recommendations For SLiMS 7 Cendana versions prior to 2017-03-23, consider disabling the keywords parameter in the affected PHP files and restricting access to the quickReturnID field in "circulation/ajax action.php" until a patch is available.