CVE-2015-2677

Name of the Vulnerable Software and Affected Versions ocPortal versions prior to 9.0.17

Description The issue allows remote authenticated users to inject arbitrary web script or HTML via various fields in different pages, including the title or text field in the cms calendar page to cms/index.php, unspecified fields in the cms polls page to cms/index.php or a new topic in the topics page to forum/index.php, or a new PT (private topic/private message) in the topics page to forum/index.php.

Recommendations For versions prior to 9.0.17, update to version 9.0.17 or later to resolve the issue. As a temporary workaround, consider restricting access to the cms calendar, cms polls, and topics pages until the update is applied. Avoid using the title or text fields in the cms calendar page, and unspecified fields in the cms polls page or new topics and PTs in the topics page, until the issue is resolved.