CVE-2005-4379

Name of the Vulnerable Software and Affected Versions Bitweaver versions 1.1 through 1.1.1 beta

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via several parameters and API endpoints, including the sort mode parameter to endpoints such as "fisheye/list galleries.php", "messages/message box.php", and "users/my.php"; the post id parameter to "blogs/view post.php"; the blog id parameter to "blogs/view.php"; and the search field to "users/my groups.php".

Recommendations For Bitweaver version 1.1: Avoid using the sort mode parameter in the affected API endpoints until the issue is resolved. For Bitweaver version 1.1.1 beta: Restrict access to the post id parameter in "blogs/view post.php" and the blog id parameter in "blogs/view.php" to minimize the risk of exploitation. As a temporary workaround, consider disabling the search field in "users/my groups.php" until a patch is available.