CVE-2006-1590

Name of the Vulnerable Software and Affected Versions: Basic Analysis and Security Engine (BASE) version 1.2.4 Analysis Console for Intrusion Databases (ACID) version 0.9.6b23

Description: A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. This can be achieved through various parameters, including the back parameter to "base graph main.php", the netmask parameter to "base stat ipaddr.php", or the submit parameter to "base qry alert.php" within BASE, or the query string to "acid main.php" in ACID. The vulnerability causes the request URI ($ SERVER['REQUEST URI']) to be inserted into a refresh operation.

Recommendations: For Basic Analysis and Security Engine (BASE) version 1.2.4, consider disabling the PrintFreshPage function until a patch is available. For Analysis Console for Intrusion Databases (ACID) version 0.9.6b23, restrict access to the "acid main.php" script to minimize the risk of exploitation. Avoid using the back, netmask, and submit parameters in the affected BASE API endpoints until the issue is resolved. As a temporary workaround, consider validating and sanitizing all user input to prevent malicious script injection.