CVE-2006-2063

Name of the Vulnerable Software and Affected Versions Leadhound Full and LITE version 2.1 Leadhound Network Version "Full Version"

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters in multiple scripts, including the login parameter in scripts such as agent affil.pl, agent help.pl, and others, the logged parameter in scripts like agent faq.pl and members.pl, the camp id parameter in agent links.pl, the banner parameter in agent links.pl, the offset parameter in agent links.pl and agent subaffiliates.pl, the date parameter in agent subaffiliates.pl, the dates parameter in agent rev det.pl, the page parameter in agent camp det.pl, the agent id parameter in agent commission statement.pl, and the lost password field in lost pwd.pl.

Recommendations For Leadhound Full and LITE version 2.1, consider disabling the vulnerable scripts until a patch is available. For Leadhound Network Version "Full Version", restrict access to the vulnerable parameters, such as login, logged, camp id, banner, offset, date, dates, page, and agent id, to minimize the risk of exploitation. Avoid using the lost password field in lost pwd.pl until the issue is resolved. As a temporary workaround, consider implementing input validation and sanitization for all user-supplied data to prevent arbitrary web script or HTML injection.