PT-2014-66: Cross-Site Scripting in InstantCMS Vulnerable softwareInstantCMS Version: 1.xLink: http://www.instantcms.ru/Severity levelSeverity level: Medium Impact: Cross-Site Scripting Access Vector: Remote CVSS v2: Base Score: 4.3 Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)CVE: not assignedSoftware descriptionInstantCMS is a web content management system.Vulnerability descriptionThe specialists of the Positive Research center have detected a Cross-Site Scripting vulnerability in InstantCMS.Cross-site scripting in the frontend.php file allows remote attackers to inject arbitrary HTML tags (including JavaScript scripts, etc.) to a page processed by user's browser.How to fix Update your software up to the latest version.Advisory status 26.12.2013 - Vendor gets vulnerability details 28.12.2013 - Vendor releases fixed version and details 26.12.2014 - Public disclosureCreditsThe vulnerability was detected by using Positive Technologies Application Inspector, the application security testing systemReferenceshttp://en.securitylab.ru/lab/PT-2014-66 Reports on the vulnerabilities previously discovered by Positive Research:http://www.ptsecurity.com/research/advisory/ http://en.securitylab.ru/lab/