CVE-2006-2746

Name of the Vulnerable Software and Affected Versions F@cile Interactive Web versions 0.8.5 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via the lang parameter in index.php, and the mytheme and myskin parameters in multiple "p-themes" index.inc.php files, including lowgraphic, classic, puzzle, simple, and ciao. It is noted that some vectors might be resultant from file inclusion issues.

Recommendations For F@cile Interactive Web versions 0.8.5 and earlier, consider disabling the lang, mytheme, and myskin parameters in the affected files until a patch is available. Restrict access to the index.php and "p-themes" index.inc.php files to minimize the risk of exploitation. Avoid using the lang, mytheme, and myskin parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.