CVE-2008-1556

Name of the Vulnerable Software and Affected Versions BolinOS version 4.6.1

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through various parameters and files, including the url parameter to "system/actionspages/ b/contentFiles/gBImageViewer.php", the ForEditor parameter to "system/actionspages/ b/contentFiles/gBselectorContents.php", the PATH INFO to "gBLoginPage.php" and "gBPassword.php" in "system/actionspages/ b/contentFiles/", the formlogin parameter to "system/actionspages/ b/contentFiles/gBLoginPage.php", and the bolini searchengine46Search parameter to "help/index.php".

Recommendations For BolinOS version 4.6.1, consider disabling access to the vulnerable files "gBImageViewer.php", "gBselectorContents.php", "gBLoginPage.php", "gBPassword.php", and "help/index.php" until a patch is available. Restrict the use of parameters url, ForEditor, PATH INFO, formlogin, and bolini searchengine46Search in the affected API endpoints to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.