CVE-2016-10215

Name of the Vulnerable Software and Affected Versions Fastspot BigTree bigtree-form-builder versions prior to 1.2

Description The issue is caused by insufficient filtration of user-supplied data in multiple HTTP POST parameters passed to a "site/index.php/../../extensions/com.fastspot.form-builder/ajax/redraw-field.php" API endpoint. This allows an attacker to execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

Recommendations For versions prior to 1.2, update to version 1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the redraw-field.php module to minimize the risk of exploitation. Avoid using user-supplied data in the affected API endpoint until the issue is resolved.