SiteBar contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the uid parameter upon submission to the command.php script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Upgrade to version 3.3.9 or higher, as it has been reported to fix this vulnerability. In addition, the vendor has released a patch for some older versions.

• CVE ID: 2007-5692 (see also: NVD)
• Bugtraq ID: 26126
• Secunia Advisory ID: 27503 28008
• Related OSVDB ID: 41110 41355 41356 41357 41358 41359 41581 43604 43760
• VUPEN Advisory: ADV-2007-3768
• Other Advisory URL: http://securityreason.com/securityalert/3318
  http://www.debian.org/security/2007/dsa-1423
  http://www.nth-dimension.org.uk/pub/NDSA20071016.txt.asc
• Vendor Specific News/Changelog Entry: http://teamforge.net/viewcvs/viewcvs.cgi/tags/release-3.3.9/doc/history.txt?view=markup
• Vendor Specific Solution URL: http://www.gentoo.org/security/en/glsa/glsa-200711-05.xml
• Vendor URL: http://www.sitebar.org/
• Keyword: NDSA20071016

• Tim Brown - Nth Dimension