CVE-2011-5142

Name of the Vulnerable Software and Affected Versions Open Business Management (OBM) versions 2.4.0-rc13 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via specific parameters in various PHP files. The vulnerable parameters include tf delegation, tf ip, and tf name in a search action to "host/host index.php", login parameter to "obm.php", and tf user parameter in a search action to "group/group index.php".

Recommendations For Open Business Management (OBM) versions 2.4.0-rc13 and earlier, consider restricting access to the vulnerable parameters tf delegation, tf ip, tf name, login, and tf user until a patch is available. Avoid using these parameters in the affected API endpoints "host/host index.php", "obm.php", and "group/group index.php" to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.