CVE-2006-5451

Name of the Vulnerable Software and Affected Versions TorrentFlux version 2.1

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via specific variables in certain PHP files. The variables action, file, and users array in admin.php are not properly handled when the administrator views the Activity Log. Additionally, the torrent parameter, used by the displayName variable in startpop.php, is vulnerable. This enables attackers to execute malicious scripts when these parameters are viewed by an administrator.

Recommendations For TorrentFlux version 2.1, update the software to a version that properly sanitizes user input in the action, file, and users variables in admin.php and the torrent parameter in startpop.php. As a temporary workaround, consider restricting access to admin.php and startpop.php to minimize the risk of exploitation. Avoid using the action, file, and users variables in admin.php and the torrent parameter in startpop.php until the issue is resolved.