CVE-2008-0851

Name of the Vulnerable Software and Affected Versions Dokeos version 1.8.4

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially affecting a significant number of devices worldwide. This is achieved through multiple cross-site scripting (XSS) vulnerabilities. Specifically, the vulnerabilities exist in the following parameters: username in the "inscription.php" endpoint, courseCode in the "main/calendar/myagenda.php" endpoint, category in the "main/admin/course category.php" endpoint, message in the "main/admin/session list.php" endpoint when performing a "show message" action, and an avatar image in the "main/auth/profile.php" endpoint.

Recommendations For Dokeos version 1.8.4, consider disabling the affected parameters, such as username, courseCode, category, and message, in their respective endpoints until a patch is available. Additionally, restrict the upload of avatar images to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.