CVE-2009-3803

Name of the Vulnerable Software and Affected Versions Amiro.CMS versions 5.4.0.0 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters and API endpoints, including the status message parameter to various pages and scripts, such as "/news", "/comment", "/forum", "/blog", "/tags", and multiple PHP files in the " admin/" directory. Additionally, a crafted IMG BBcode tag in the message body of a forum, guestbook, or comment, the content of an avatar file, and the loginname parameter in " admin/index.php" are also vulnerable.

Recommendations For Amiro.CMS versions 5.4.0.0 and earlier, consider disabling the status message parameter in all affected API endpoints until a patch is available. Restrict access to the vulnerable PHP files in the " admin/" directory to minimize the risk of exploitation. Avoid using crafted IMG BBcode tags in the message body of forums, guestbooks, or comments until the issue is resolved. Do not use potentially malicious avatar files until the issue is fixed. Restrict the use of the loginname parameter in " admin/index.php" to authorized users only. At the moment, there is no information about a newer version that contains a fix for this vulnerability.