CVE-2010-4607 Information

Description

Multiple cross-site scripting (XSS) vulnerabilities in Habari 0.6.5 when register_globals is enabled allow remote attackers to inject arbitrary web script or HTML via the (1) additem_form parameter to system/admin/dash_additem.php and the (2) status_data[] parameter to system/admin/dash_status.php. NOTE: some of these details are obtained from third party information.

Reference

http://secunia.com/advisories/42688 http://wiki.habariproject.org/en/Release_0.6.6 http://www.exploit-db.com/exploits/15799 http://www.htbridge.ch/advisory/xss_vulnerability_in_habari.html http://www.htbridge.ch/advisory/xss_vulnerability_in_habari_1.html