CVE-2011-1660

Name of the Vulnerable Software and Affected Versions GrapeCity Data Dynamics Reports versions prior to 1.6.2084.14

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the DataDynamics.Reports.Web class library. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via specific parameters to certain JavaScript files, as reachable by CoreHandler.ashx. The vulnerable parameters include reportName, uniqueId, and traceLevel in CoreViewerInit.js and CoreController.js.

Recommendations For versions prior to 1.6.2084.14, update to version 1.6.2084.14 or later to resolve the issue. As a temporary workaround, consider restricting access to the CoreHandler.ashx endpoint and limiting the use of the reportName, uniqueId, and traceLevel parameters in CoreViewerInit.js and CoreController.js until the update is applied.