application. Information disclosure also exist, the application does not properly check which user is currently logged in. Finally CSRF is also possible within the Tickets CAD application which allows an attacker to successfully add an admin account.
[+] A Reflective XSS vulnerability exist in the search function, search.php within the application
[+] A Stored XSS vulnerability exist in log.php while creating a new log entry
[+] Both of these vulnerabilities can be prevented by using strip_tags:
# Jun 30 2012 - Contacted vendor
# Jul 23 2012 - Email to Dev team ask for an update and when next release will be issued
# Aug 04 2012 - Dev team became unresponsive Public Disclosure