CVE-2009-4047

Name of the Vulnerable Software and Affected Versions PHD Help Desk version 1.43

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through various parameters and API endpoints, including the PATH INFO to area.php, pagina, sentido, q registros, and orden parameters to area.php, the q registros parameter to solic display.php, the PATH INFO to area list.php, the q registros parameter to area list.php, the PATH INFO to atributo.php, the pagina, q registros, and orden parameters to atributo list.php, an arbitrary parameter name beginning with "sentido" to atributo list.php, and the PATH INFO to caso insert.php.

Recommendations For PHD Help Desk version 1.43, consider disabling access to the affected API endpoints, such as area.php, solic display.php, area list.php, atributo.php, atributo list.php, and caso insert.php, until a patch is available. Restrict input for parameters like pagina, sentido, q registros, and orden to minimize the risk of exploitation. Avoid using arbitrary parameter names beginning with "sentido" in the affected API endpoints.