CVE-2006-1430

Name of the Vulnerable Software and Affected Versions CONTROLzx HMS (formerly DRZES) versions 3.3.4 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via several parameters, including the dedicatedPlanID parameter to "dedicated order.php", the sharedPlanID parameter to "shared order.php", the plan id parameter to "customers/server management.php", and the email field to "customers/forgotpass.php".

Recommendations For CONTROLzx HMS versions 3.3.4 and earlier, update to a version later than 3.3.4 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable parameters dedicatedPlanID, sharedPlanID, and plan id, as well as the email field in the specified API endpoints until a patch is available.