CVE-2012-1647

Name of the Vulnerable Software and Affected Versions MediaFront module versions prior to 6.x-1.5 MediaFront module versions prior to 7.x-1.5

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via several vectors, including the HTTP HOST or SCRIPT NAME variables in the $ SERVER superglobal, the playlist parameter to the /players/osmplayer/player/getplaylist.php endpoint, and possibly other related to $ SESSION. The /players/osmplayer/player/OSMPlayer.php endpoint is also affected.

Recommendations For MediaFront module version 6.x-1.x, update to version 6.x-1.5 or later. For MediaFront module version 7.x-1.x, update to version 7.x-1.5 or later.