Hero Framework 3.69 Remote Reflected Cross-Site Scripting Vulnerability

Title: Hero Framework 3.69 Remote Reflected Cross-Site Scripting Vulnerability
Advisory ID: ZSL-2011-5061
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 01.12.2011
Summary
Hero (formerly Caribou CMS) is a white label, open source PHP website content management system (CMS) and development platform.
Description
Hero suffers from a XSS vulnerability when parsing user input to the 'month' parameter via GET method. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.
Vendor
Electric Function, Inc. - http://www.heroframework.com
Affected Version
3.69
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
MySQL 5.5.16
PHP 5.3.8
Vendor Status
[29.11.2011] Vulnerability discovered.
[29.11.2011] Initial contact with the vendor, PoC sent.
[29.11.2011] Vendor releases a fix.
[01.12.2011] Public security advisory released.
PoC
hero_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.heroframework.com/changelog
[2] http://packetstormsecurity.org/files/107443
[3] http://www.securityfocus.com/bid/50878
[4] http://secunia.com/advisories/47051/
[5] http://osvdb.org/show/osvdb/77462
[6] http://xforce.iss.net/xforce/xfdb/71587
Changelog
[01.12.2011] - Initial release
[02.12.2011] - Added reference [3] and [4]
[03.12.2011] - Added reference [5]
[04.12.2011] - Added reference [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk