CVE-2004-1563

Name of the Vulnerable Software and Affected Versions w-Agora version 4.1.6a

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to execute arbitrary web script or HTML. The affected API endpoints include "download thread.php", "login.php", and "forgot password.php". Specifically, the thread parameter to "download thread.php", the loginuser parameter to "login.php", and the userid parameter to "forgot password.php" are vulnerable.

Recommendations For w-Agora version 4.1.6a, consider disabling the execution of web scripts or HTML in the affected parameters as a temporary workaround. Restrict access to the vulnerable endpoints "download thread.php", "login.php", and "forgot password.php" to minimize the risk of exploitation. Avoid using the thread, loginuser, and userid parameters in the respective endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.