CVE-2011-0771

Name of the Vulnerable Software and Affected Versions Janrain Engage module versions 6.x-1.3

Description The issue allows remote authenticated users to conduct cross-site scripting (XSS) attacks and possibly execute arbitrary PHP code by causing a crafted avatar to be downloaded from an external login provider site, due to the lack of validation for profile image files.

Recommendations For Janrain Engage module version 6.x-1.3, consider validating profile image files to prevent cross-site scripting (XSS) attacks and the possible execution of arbitrary PHP code. As a temporary workaround, restrict the ability to download avatars from external login provider sites until a proper fix is applied.