Sitemagic CMS 2010.04.17 (SMExt) Remote XSS Vulnerability

Sitemagic CMS suffers from a XSS vulnerability when parsing user input to the ‘SMExt’ parameter via GET method in ‘index.php’. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user’s browser session.

Vendor Status
[10.06.2011] Initial contact with the vendor.
[10.06.2011] Vendor replies asking more details.
[10.06.2011] Sent vulnerability details to vendor.
[11.06.2011] Vendor replies.
[12.06.2011] Vendor confirms vulnerability.
[15.06.2011] Asked vendor for scheduled patch release date.
[17.06.2011] No reply from vendor.
[18.06.2011] Sent another e-mail to vendor asking for scheduled patch release date, pointing out the reasonable timeframe for fixing a XSS issue.
[18.06.2011] Vendor says that they will keep me posted when new release is available.
[20.06.2011] Informed the vendor that the advisory release will be on 21st of June.
[21.06.2011] Public security advisory released.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5020.php

Comment are closed.