CVE-2012-3805

Name of the Vulnerable Software and Affected Versions Kajona versions prior to 3.4.2

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters to different modules and pages. The vulnerable parameters include absender name, absender email, absender nachricht, comment name, comment subject, comment message, module, action, pv, pe, user username, user email, user forename, user name, user street, user postal, user city, user tel, user mobil, group name, group desc, name, browsername, seostring, keywords, folder id, element name, element cachetime, aspect name, filemanager name, filemanager path, filemanager upload filter, filemanager view filter, archive title, and archive path. These parameters are associated with the content page, postacomment module, admin login page, user module, pages module, system module, filemanager module, and downloads module.

Recommendations For Kajona versions prior to 3.4.2, update to version 3.4.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable modules and parameters until a patch is applied. Avoid using the specified parameters in the affected API endpoints until the issue is resolved.