CVE-2008-0605

Name of the Vulnerable Software and Affected Versions AstroSoft HelpDesk versions prior to 1.95.228

Description The issue allows remote attackers to inject arbitrary web script or HTML, which can lead to cross-site scripting (XSS) attacks. This is possible via the txtSearch parameter to the "operator/article/article search results.asp" endpoint and the Attach Id parameter to the "operator/article/article attachment.asp" endpoint. For the second vector, the XSS occurs in a forced SQL error message.

Recommendations For versions prior to 1.95.228, update to version 1.95.228 or later to resolve the issue. As a temporary workaround, consider restricting access to the txtSearch parameter in the "operator/article/article search results.asp" endpoint and the Attach Id parameter in the "operator/article/article attachment.asp" endpoint until a patch is available. Avoid using the txtSearch and Attach Id parameters in the affected API endpoints until the issue is resolved.