Advisory: FreeSMS (Free Student Management System) Multiple Cross-site Scripting Vulnerabilities Advisory ID: SSCHADV2011-028 Author: Stefan Schurtz Affected Software: Successfully tested on FreeSMS 2.1.2 Vendor URL: https://sourceforge.net/projects/freesms/ Vendor Status: informed CVE-ID: - ========================== Vulnerability Description: ========================== FreeSMS (Free Student Management System) is prone to multiple Cross-Site scripting vulernabilities ================== Technical Details: ================== http:///FreeSMS/pages/crc_handler.php?method='" http:///FreeSMS/pages/crc_handler.php?method=profile&func='" http:///FreeSMS/pages/crc_evaluation.php?crc=diggks5j3mlf6pee6knk34qq60&uid=3&course='" http:///FreeSMS/pages/crc_login.php?crc=diggks5j3mlf6pee6knk34qq60&uid='" http:///FreeSMS/pages/crc_handler.php?method=register&func=add -> Username -> '" ========= Solution: ========= - ==================== Disclosure Timeline: ==================== 15-Oct-2011 - informed developers 15-Oct-2011 - release date of this security advisory ======== Credits: ======== Vulnerabilities found and advisory written by Stefan Schurtz. =========== References: =========== https://sourceforge.net/projects/freesms/ http://www.rul3z.de/advisories/SSCHADV2011-028.txt