e-Business Designer contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'id' variable upon submission to the admin/form_grupo.html script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. Additionally, the resulting error message will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

Upgrade to version 3.1.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Unknown or Incomplete

• Bugtraq ID: 17933
• CVE ID: 2006-2348 (see also: NVD)
• Secunia Advisory ID: 20071
• Related OSVDB ID: 25464 25466
• VUPEN Advisory: ADV-2006-1784
• Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0297.html
  http://archives.neohapsis.com/archives/fulldisclosure/2006-06/0365.html
  http://archives.neohapsis.com/archives/fulldisclosure/2006-06/0406.html
  http://archives.neohapsis.com/archives/fulldisclosure/2006-06/0408.html
• Vendor URL: http://www.ebdsoft.com/

Unknown or Incomplete