Sitecore's special way of display XML controls allows for a cross site scripting attack.
332c44062becbe780354571679bbca0e59d1468bef6e56ac13e0ebfa8d53931a
Hey All,
Sitecores special way of displaying XML Controls directly allows for a
Cross Site Scripting Attack more can be achieved with these XML
Controls and will be documented in another vulnerability report
http://target/?xmlcontrol=body%20onload=alert(123)
http://target/?xmlcontrol=iframe%20src=https://www.google.com/images/srpr/logo11w.png
More information can be found at
http://www.securatary.com/vulnerabilities - Also listed is a useful text
file for use with Burp when auditing SiteCore.