CVE-2016-1000307

Name of the Vulnerable Software and Affected Versions ClipBucket version 2.8.1 and probably prior

Description The issue allows remote attackers to inject arbitrary web script or HTML via several parameters, including profile desc, about me, schools, occupation, companies, hobbies, fav movies, fav music, fav books to the ProfileSettings page, note parameter to the PersonalNotes Section, and closed msg, description, allowed types parameters to the WebsiteConfigurations Section.

Recommendations For ClipBucket version 2.8.1 and probably prior, update to a version that includes a fix for this issue, as no specific workaround is provided for these versions. As a temporary workaround, consider restricting access to the ProfileSettings page, PersonalNotes Section, and WebsiteConfigurations Section until a patch is available. Avoid using the parameters profile desc, about me, schools, occupation, companies, hobbies, fav movies, fav music, fav books, note, closed msg, description, allowed types in the affected sections until the issue is resolved.