SiNG cms 2.9.0 (email) Remote XSS POST Injection Vulnerability

Title: SiNG cms 2.9.0 (email) Remote XSS POST Injection Vulnerability
Advisory ID: ZSL-2012-5097
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 23.08.2012
Summary
SiNG cms is a free modular Content Management System open source, based on a bunch of PHP / MySQL and intended use of the web server Apache.
Description
The application is prone to a reflected cross-site scripting vulnerability due to a failure to properly sanitize user-supplied input to the 'email' POST parameter in the 'password.php' script. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.
Vendor
Simple Network Gear - http://www.sing-cms.ru
Affected Version
2.9.0
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.4
MySQL 5.5.25a
Vendor Status
[20.08.2012] Vulnerability discovered.
[20.08.2012] Initial contact with the vendor.
[22.08.2012] No response from the vendor.
[23.08.2012] Public security advisory released.
[23.08.2012] Vendor releases version 2.9.1 to address this issue.
PoC
singcms_xss.html
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://packetstormsecurity.org/files/115812
[2] http://cxsecurity.com/issue/WLB-2012080211
[3] http://secunia.com/advisories/50378/
[4] http://sing-cms.ru/forum/bugs/uyazvimost-bazovogo-modulya-do-2-9-0-vklyuchitelno
[5] http://www.securityfocus.com/bid/55168
[6] http://forums.cnet.com/7726-6132_102-5350861.html
[7] http://www.securelist.com/en/advisories/50378
[8] http://xforce.iss.net/xforce/xfdb/77952
[9] http://www.osvdb.org/show/osvdb/84864
Changelog
[23.08.2012] - Initial release
[24.08.2012] - Added reference [5], [6] and [7]
[26.08.2012] - Added reference [8] and [9]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk