CVE-2006-6197

Name of the Vulnerable Software and Affected Versions b2evolution versions 1.8.2 through 1.9 beta

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the app name parameter in files such as 404 not found.page.php, 410 stats gone.page.php, and referer spam.page.php in the inc/VIEW/errors/ directory, the baseurl parameter in 404 not found.page.php, and the ReqURI parameter in referer spam.page.php.

Recommendations For b2evolution versions 1.8.2 through 1.9 beta, consider disabling the app name, baseurl, and ReqURI parameters in the affected files until a patch is available. Restrict access to the inc/VIEW/errors/ directory to minimize the risk of exploitation. Avoid using the app name parameter in 404 not found.page.php, 410 stats gone.page.php, and referer spam.page.php, the baseurl parameter in 404 not found.page.php, and the ReqURI parameter in referer spam.page.php in the affected API endpoints until the issue is resolved.