CVE-2008-3260

Name of the Vulnerable Software and Affected Versions: Claroline versions prior to 1.8.10

Description: The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the cwd parameter in a rqMkHtml action to document/rqmkhtml.php, or the query string to various PHP files in the claroline directory, including announcements/announcements.php, calendar/agenda.php, course/index.php, course description/index.php, document/document.php, exercise/exercise.php, group/group space.php, phpbb/newtopic.php, phpbb/reply.php, phpbb/viewtopic.php, wiki/wiki.php, or work/work.php.

Recommendations: For versions prior to 1.8.10, update to version 1.8.10 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable PHP files until a patch is available. Avoid using the cwd parameter in the rqMkHtml action to document/rqmkhtml.php until the issue is resolved.