Mephisto · Mephisto · CVE-2007-1768
Name of the Vulnerable Software and Affected Versions:
Mephisto versions 0.7.3 and Edge 20070325
Description:
A cross-site scripting issue allows remote attackers to inject arbitrary web script or HTML via the `author name` field in a comment. This occurs in the `app/helpers/application helper.rb` file.
Recommendations:
For Mephisto version 0.7.3, update the `application helper.rb` file to properly sanitize the `author name` field.
For Mephisto Edge 20070325, restrict access to the comment functionality until a proper fix is applied to sanitize the `author name` field.