CVE-2012-5193

Name of the Vulnerable Software and Affected Versions Bitweaver versions 2.8.1 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the path info to certain API endpoints such as "stats/index.php" or "newsletters/edition.php", or by manipulating specific parameters like the username parameter to "users/remind password.php", the days parameter to "stats/index.php", the login parameter to "users/register.php", or the highlight parameter.

Recommendations For Bitweaver versions 2.8.1 and earlier, consider disabling access to the vulnerable API endpoints "stats/index.php", "newsletters/edition.php", "users/remind password.php", and "users/register.php" until a patch is available. Additionally, restrict the use of the username, days, login, and highlight parameters in the respective scripts to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.