CVE-2009-1775

Name of the Vulnerable Software and Affected Versions: Ulteo Open Virtual Desktop version 1.0

Description: The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved via several API endpoints, including "admin/applications.php", "admin/appsgroup.php", "admin/users.php", "admin/usersgroup.php", and "admin/tasks.php" by manipulating the id parameter, "admin/logs.php" by manipulating the show parameter, and "admin/configuration-partial.php" by manipulating the mode parameter.

Recommendations: For Ulteo Open Virtual Desktop version 1.0, consider restricting access to the vulnerable API endpoints, such as "admin/applications.php", "admin/appsgroup.php", "admin/users.php", "admin/usersgroup.php", "admin/tasks.php", "admin/logs.php", and "admin/configuration-partial.php", until a patch is available. As a temporary workaround, avoid using the id, show, and mode parameters in the respective affected endpoints to minimize the risk of exploitation.