Multiple vulnerabilities in glFusion 1.2.2 could allow an unauthenticated, remote attacker to conduct cross-site scripting attacks.
The vulnerabilities are due to improper filtering of user-supplied data in POST requests to the subject, address1, address2, calendar_type city, state, title, url
, and zipcode
parameters in the /profiles.php, /calendar/index.php, /links/index.php
scripts. An attacker could create a link that contains crafted data for the affected parameters. When a user clicks on the link, the code executes in the user's browser session in the security context of the affected website.
Proof-of-concept code that exploits these vulnerabilities is publicly available.
Users are advised not to visit websites or follow links that have suspicious characteristics or cannot be verified as safe.
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
The vendor has released patches at the following link: glFusion v1.2.2.pl4