CVE-2009-2138

Name of the Vulnerable Software and Affected Versions TBDev.NET version 01-01-08

Description The issue allows remote attackers to redirect users to arbitrary web sites, potentially leading to phishing attacks. This is achieved via the returnto parameter in either the login.php or a delete action to news.php. It can also be leveraged for cross-site scripting (XSS) by redirecting to a data: URI.

Recommendations For TBDev.NET version 01-01-08, consider restricting or validating the returnto parameter in login.php and news.php to prevent redirects to arbitrary sites. As a temporary workaround, avoid using the returnto parameter in these endpoints until a more permanent solution is available.