CVE-2009-4939

Name of the Vulnerable Software and Affected Versions AdPeeps version 8.5d1

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters in index.php, including the uid parameter, campaignid parameter, type parameter, period parameter, accname parameter, loginpass parameter, e9 parameter, from parameter, message parameter, idno parameter, and fields such as Advertiser Name, First Name, Last Name, Address, Phone Number, Password Hint, and URL. Additionally, remote authenticated users can inject arbitrary web script or HTML via an unspecified form associated with a view adrates action.

Recommendations For AdPeeps version 8.5d1, consider disabling the affected parameters, such as uid, campaignid, type, period, accname, loginpass, e9, from, message, and idno, until a patch is available. Restrict access to the affected fields, including Advertiser Name, First Name, Last Name, Address, Phone Number, Password Hint, and URL, to minimize the risk of exploitation. Avoid using the unspecified form associated with the view adrates action until the issue is resolved.