CVE-2006-1850

Name of the Vulnerable Software and Affected Versions xFlow versions 5.46.11 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via specific parameters to certain API endpoints. The vulnerable parameters include level, position, id, and action in the "members only/index.cgi" endpoint, and the page parameter in the "customer area/index.cgi" endpoint.

Recommendations For xFlow versions 5.46.11 and earlier, as a temporary workaround, consider restricting access to the "members only/index.cgi" and "customer area/index.cgi" endpoints until a patch is available. Avoid using the level, position, id, action, and page parameters in these endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.