Hello list!

These are Cross-Site Scripting and Brute Force vulnerabilities in In-Portal 
CMS.

-------------------------
Affected products:
-------------------------

Vulnerable are In-Portal CMS 5.2.0 and previous versions.

In version In-Portal CMS 5.2.1 at 31.08.2014 developers fixed XSS 
vulnerability after my warning. But didn't fix BF, only gave recommendations 
about protection against these attacks (it's their solution). They recommend 
for users of the system to limit access to admin panel by IP.

-------------------------
Affected vendors:
-------------------------

In-Portal
http://in-portal.com

----------
Details:
----------

Cross-Site Scripting (WASC-08):

http://site/admin/index.php?env=-login:m0--1--s-&next_template=%22%3E%3Cbody%20onload=alert(document.cookie)%3E

Brute Force (WASC-11):

http://site/admin/index.php

I mentioned about these vulnerabilities at my site 
(http://websecurity.com.ua/7276/).

Best wishes & regards,
Eugene Dokukin aka MustLive
Administrator of Websecurity web site
http://websecurity.com.ua