CVE-2021-37365

Name of the Vulnerable Software and Affected Versions CTparental versions prior to 4.45.03

Description The issue is related to cross-site scripting (XSS) in the CTparental admin panel. Specifically, in the bl categires help.php file, the categories variable is assigned with the content of the query string parameter cat without proper sanitization or encoding. This enables an attacker to inject malicious code into the output webpage. There is also a mention of a vulnerability due to incorrect restriction of a directory path name with limited access, which could allow an attacker to inject arbitrary code.

Recommendations For CTparental versions prior to 4.45.03, update to version 4.45.03 or later to resolve the issue. As a temporary workaround, consider disabling access to the bl categires help.php file or restricting the use of the categories variable until a patch is applied. Additionally, avoid using the cat parameter in the affected query string until the issue is resolved.