Our addition to yesterday YGn advisory: # CVE-2012-0872 ============ { Ariko-Security - Advisory #2/2/2012 } ============= OxWall Cross-site scripting (XSS) Vendor's description of software and download: # Oxwall Foundation http://www.oxwall.org/ Dork: # N/a Application Info: #OxWall 1.1.1 Vulnerability Info: # Type: XSS Time Table: # 13/02/2012 - Vendor notified XSS: #Input passed to the "plugin" parameter in index.php is not properly sanitised before being returned to the user. Solution: # Input validation of vulnerable parameters should be corrected. POC: http://site/ow_updates/?plugin=%27%22%28%29%26%251%3CScRiPt%20%3Eprompt%28982087%29%3C%2fScRiPt%3E advisory: http://advisories.ariko-security.com/2012/audyt_bezpieczenstwa_2m2.html Credit: # Discoverd By: Ariko-Security 2012 Ariko-Security Rynek Glowny 12 32-600 Oswiecim tel:. +48 33 4741511 mobile: +48 784086818 (Mo-Fr 10.00-20.00 CET) Ariko-Security Sp. z o.o. z siedzibą w Oświęcimiu , zarejestrowana przez Sąd Rejonowy dla m. Krakowa-Śródmieścia, XII Wydział Gospodarczy Krajowego Rejestru Sądowego, KRS: 00000358273, NIP: 549-239-90-67, REGON 121262172