CVE-2008-7060

Name of the Vulnerable Software and Affected Versions One-News version Beta 2

Description The issue allows remote attackers to inject arbitrary HTML and web script via specific parameters in certain PHP files. This can be achieved through the title or content parameters in a news item to "add.php", and the itemnum, author, or comment parameters in a comment to "index.php". Note that injecting via the title or content parameters requires user authentication.

Recommendations For One-News version Beta 2, as a temporary workaround, consider restricting access to the "add.php" and "index.php" files until a patch is available. Avoid using the title, content, itemnum, author, and comment parameters in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.