CVE-2009-4837

Name of the Vulnerable Software and Affected Versions Basic Analysis and Security Engine (BASE) versions prior to 1.4.3.1

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the sig[1] parameter to "base/base qry main.php", or the time[0][1] parameter to either "base/base stat alerts.php" or "base/base stat uaddr.php".

Recommendations For versions prior to 1.4.3.1, update to version 1.4.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable parameters sig[1] and time[0][1] in the affected API endpoints until a patch is available. Avoid using these parameters in the "base/base qry main.php", "base/base stat alerts.php", and "base/base stat uaddr.php" endpoints until the issue is resolved.