CVE-2007-6545

Name of the Vulnerable Software and Affected Versions RunCMS versions prior to 1.6.1

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through various means, including the subject parameter to "modules/news/submit.php", the PATH INFO to "modules/news/index.php", or an avatar image to "edituser.php". The XoopsPageNav class may be related to the vulnerability in the "modules/news/index.php" case.

Recommendations For versions prior to 1.6.1, update to version 1.6.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "modules/news/submit.php" and "modules/news/index.php" scripts, as well as limiting the ability to upload avatar images to "edituser.php" until the update can be applied. Avoid using the subject parameter in "modules/news/submit.php" and the PATH INFO in "modules/news/index.php" until the issue is resolved.