CVE-2012-3836

Name of the Vulnerable Software and Affected Versions Baby Gekko versions prior to 1.2.0

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters in different modules, including the users, contacts, menus, and blog modules. The vulnerable parameters include groupname, virtual filename, branch, contact person, street, city, province, postal, country, tollfree, phone, fax, mobile, title, firstname, lastname, meta key, and meta description. Additionally, the PATH INFO to admin/index.php is also vulnerable.

Recommendations For Baby Gekko versions prior to 1.2.0, update to version 1.2.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable modules and parameters until a patch is available. Avoid using the vulnerable parameters in the affected API endpoints until the issue is resolved.