CVE-2008-2022

Name of the Vulnerable Software and Affected Versions PD9 Software MegaBBS version 2.2

Description Multiple cross-site scripting (XSS) issues exist, allowing remote attackers to inject arbitrary web script or HTML. This can be achieved via the toid parameter to "send-private-message.asp" and the redirect parameter to "admin/impersonate.asp". Note that exploiting the second vector requires authentication.

Recommendations For PD9 Software MegaBBS version 2.2, as a temporary workaround, consider restricting access to the "send-private-message.asp" and "admin/impersonate.asp" pages until a patch is available. Avoid using the toid and redirect parameters in these pages to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.