PT-2013-18: Variables Overwriting in mnoGoSearch

Vulnerable software

Version: 3.3.12 and earlier

Application link:

Severity level

Severity level: Medium
Impact: Cross-Site Scripting (XSS)
Access Vector: Remote

CVSS v2:
Base Score: 4.3
Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE: not assigned

Software description

mnoGoSearch is a universal Intranet and Internet search engine.

Vulnerability description

Positive Technologies experts have detected a Cross-Site Scripting vulnerability in mnoGoSearch.

Due to incorrect application architecture, all the template variables and variables sent by the client are stored in the same list. This vulnerability allows attackers to overwrite any uninitialized variables used in the template. Overwriting parameters, which are displayed on the web page without processing, results in multiple cross-site scripting vulnerabilities.
Exploitation example

How to fix

Update your software up to the latest version.

Advisory status

15.02.2013 - Vendor gets vulnerability details
01.03.2013 - Vendor releases fixed version and details
05.03.2013 - Public disclosure


The vulnerabilities has discovered by Sergey Bobrov, Positive Research Center (Positive Technologies Company)


Reports on the vulnerabilities previously discovered by Positive Research: