CVE-2014-9243

Name of the Vulnerable Software and Affected Versions WebsiteBaker version 2.8.3

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the QUERY STRING to "wb/admin/admintools/tool.php" or the section id parameter to several files in the wb/modules/ directory, including "edit module files.php", "news/add post.php", "news/modify group.php", "news/modify post.php", and "news/modify settings.php".

Recommendations For WebsiteBaker version 2.8.3, consider disabling access to the vulnerable API endpoints and parameters, such as the QUERY STRING to "wb/admin/admintools/tool.php" and the section id parameter in the affected files, until a patch is available. Restrict access to the vulnerable modules in the wb/modules/ directory to minimize the risk of exploitation. Avoid using the section id parameter in the affected API endpoints until the issue is resolved.