CVE-2013-1636

Name of the Vulnerable Software and Affected Versions Open Flash Chart versions prior to the version used in Pretty Link Lite 1.6.3 Pretty Link Lite plugin versions prior to 1.6.3 JNews (com jnews) component version 8.0.1 CiviCRM versions 3.1.0 through 4.2.9 and 4.3.0 through 4.3.3

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the get-data parameter. This affects various software products, including the Pretty Link Lite plugin for WordPress, JNews component for Joomla!, and CiviCRM.

Recommendations For Pretty Link Lite plugin versions prior to 1.6.3, update to version 1.6.3 or later. For JNews (com jnews) component version 8.0.1, consider disabling the component until a patch is available. For CiviCRM versions 3.1.0 through 4.2.9 and 4.3.0 through 4.3.3, update to a version outside of these ranges. As a temporary workaround, consider restricting access to the get-data parameter in the affected API endpoint until a patch is available.