CVE-2007-2337

Name of the Vulnerable Software and Affected Versions Exponent CMS version 0.96.6 Alpha and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the url parameter to "magpie debug.php" and "magpie simple.php" in external/magpierss/scripts/, the rss url parameter to "magpie slashbox.php" in external/magpierss/scripts/, and the body parameter to the weblogmodule (aka Weblog Comments) module.

Recommendations For Exponent CMS version 0.96.6 Alpha and earlier, consider disabling the weblogmodule and restricting access to "magpie debug.php", "magpie simple.php", and "magpie slashbox.php" until a patch is available. Avoid using the url and rss url parameters in the affected scripts, and the body parameter in the weblogmodule, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.