CVE-2012-0872

Name of the Vulnerable Software and Affected Versions OxWall versions 1.1.1 and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters to different API endpoints, including /Oxwall/join, /Oxwall/contact, /Oxwall/blogs/browse-by-tag, /Oxwall/photo/viewlist/tagged, /Oxwall/photo/viewlist, and /Oxwall/video/viewlist. The vulnerable parameters include captchaField, email, form name, password, realname, repeatPassword, username, captcha, from, subject, and tag. The PATH INFO is also vulnerable in some cases.

Recommendations For OxWall versions 1.1.1 and earlier, as a temporary workaround, consider restricting access to the vulnerable API endpoints, such as /Oxwall/join, /Oxwall/contact, /Oxwall/blogs/browse-by-tag, /Oxwall/photo/viewlist/tagged, /Oxwall/photo/viewlist, and /Oxwall/video/viewlist, until a patch is available. Avoid using the vulnerable parameters, including captchaField, email, form name, password, realname, repeatPassword, username, captcha, from, subject, and tag, in the affected endpoints. At the moment, there is no information about a newer version that contains a fix for this issue.