PT-2009-33 iNTERNET.cms Cross-Site Scripting Vulnerability
Versions prior to 1.1.28
Impact: Cross-Site Scripting
Attack Vector: Remote
Base Score: 4.3
Temporal Score: 3.4
CVE: not assigned
iNTERNET.cms is a content management system (CMS) software, usually implemented as a Web application, for creating and managing HTML content. It is used to manage and control a large, dynamic collection of Web material (HTML documents and their associated images).
Positive Technologies Research Team has discovered a Cross-Site Scripting (XSS) vulnerability in iNTERNET.cms.
User input passed to the "search_query" setting is not properly sanitized. This can be exploited to inject malicious code and allows to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Update to INTERNET.cms(r881) or latest version.
03/25/2009 - Vendor is notified
03/26/2009 - Vendor response
05/18/2009 - Vendor releases fixed version
05/26/2009 - Requested status update from vendor
05/27/2009 - Public disclosure
This vulnerability was discovered by Dmitry Evteev (Positive Technologies Research Team) using professional network security scanner MaxPatrol.
Complete list of vulnerability reports published by Positive Technologies Research Team: