CVE-2006-5791

Name of the Vulnerable Software and Affected Versions: ELOG versions 2.6.2 and earlier

Description: The issue allows remote attackers to inject arbitrary HTML or web script via specific parameters. This can be achieved by injecting malicious input in the filename for downloading, which is not properly quoted in an error message by the send file direct function. Additionally, the Type or Category values in a New entry are not properly handled in an error message by the submit elog function, allowing for the injection of arbitrary web script.

Recommendations: For ELOG versions 2.6.2 and earlier, consider disabling the send file direct and submit elog functions until a patch is available to prevent exploitation. Restrict access to error messages that may contain user-inputted data to minimize the risk of arbitrary HTML or web script injection.