CVE-2006-7149

Name of the Vulnerable Software and Affected Versions Mambo versions 4.6.x

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the query string to "index.php", which reflects the string in an error message from "mod login.php". Additionally, the mcname parameter to "moscomment.php" and "com comment.php" is vulnerable.

Recommendations For Mambo version 4.6.x, consider disabling the mod login.php module and restricting access to "moscomment.php" and "com comment.php" until a patch is available. Avoid using the mcname parameter in the affected API endpoints until the issue is resolved.