CVE-2006-7072

Name of the Vulnerable Software and Affected Versions GeoClassifieds Enterprise versions 2.0.5.2 and earlier

Description A cross-site scripting issue allows remote attackers to inject arbitrary web script and HTML. This can be achieved via the b[username] and c parameters to "index.php", the b[username] parameter to "admin/index.php", and the c[phone] parameter to "register.php".

Recommendations For GeoClassifieds Enterprise versions 2.0.5.2 and earlier, as a temporary workaround, consider restricting access to the affected parameters b[username], c, and c[phone] in the respective API endpoints until a patch is available. Avoid using these parameters in the affected API endpoints "index.php", "admin/index.php", and "register.php" until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.