|
|
| |
| According to the manufacturer, G3 is "a classic content-management-system, allowing customers to manage their own websites without knowing much about webpublishing". Stefan Friedli discovered a XSS Vulnerability in the search module used by many websites powered by G3. |
| |
Credit:
The information has been provided by Stefan Friedli.
|
| |
By using the chars "<" ">" and quotes, the form can be used to include script code. As there seems to be no determination between parameters being passed by GET or POST, it's possible to pass manipulated content to other users using a simple link passing the parameter search_string.
Vendor response:
INM has been informed about this vulnerability on 2006-07-06. A reminder was sent 14 days after. There has been no reaction on any message according this issue.
Timeline:
2006-07-05 - Discovery
2006-07-06 - INM has been informed about the flaw
2006-07-20 - Reminder has been sent
2006-08-02 - Public advisory has been published
|
|
|
|
|
|
|
|
