CVE-2009-1776

Name of the Vulnerable Software and Affected Versions: Matt Wright FormMail version 1.92 and possibly earlier

Description: The issue allows remote attackers to inject arbitrary web script or HTML via javascript: URIs in the request and return link url parameters. This can be exploited through API endpoints that accept these parameters, such as "/FormMail.pl" with the request and return link url parameters.

Recommendations: For Matt Wright FormMail version 1.92 and possibly earlier, as a temporary workaround, consider validating and sanitizing the request and return link url parameters to prevent injection of arbitrary web script or HTML. Restrict access to the FormMail.pl script until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.