CVE-2012-2436

Name of the Vulnerable Software and Affected Versions Pligg CMS versions prior to 1.2.2

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved through various parameters in different modules, including an arbitrary parameter in a move or minimize action to "admin/admin index.php", the karma username parameter to "module.php" in the karma module, the q 1 low, q 1 high, q 2 low, or q 2 high parameters in a configure action to "module.php" in the captcha module, or the edit parameter to "module.php" in the admin language module.

Recommendations For Pligg CMS versions prior to 1.2.2, update to version 1.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected modules, such as the karma, captcha, and admin language modules, until the update can be applied. Avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved.