CVE-2010-5064

Name of the Vulnerable Software and Affected Versions Virtual War (aka VWar) version 1.6.1 R2

Description The issue allows remote attackers to inject arbitrary web script or HTML, potentially leading to cross-site scripting (XSS) attacks. This can be achieved through various fields, including the Additional Information field to "challenge.php", the Additional Information or Contact information field to "joinus.php", the War Report field to "admin/admin.php" in a finishwar action, or the Nick field to "profile.php".

Recommendations For Virtual War (aka VWar) version 1.6.1 R2, as a temporary workaround, consider restricting user input in the mentioned fields until a patch is available. Avoid using the Additional Information, Contact information, War Report, and Nick fields in the respective API endpoints until the issue is resolved.