[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: XSS vulnerability in Expression CMS

To: advisory@xxxxxxxxxxx
Subject: Re: XSS vulnerability in Expression CMS
From: security curmudgeon <jericho@xxxxxxxxxxxxx>
Date: Thu, 16 Dec 2010 18:36:45 -0600 (CST)

: Vulnerability ID: HTB22618
: Reference: 
http://www.htbridge.ch/advisory/xss_vulnerability_in_expression_cms_1.html
: Product: Expression 
: Vendor: Backbone Technology ( http://www.backbonetechnology.com ) 
: Vulnerable Version: Current at 18.09.2010 and Probably Prior Versions

How do you know you tested a current version? The vendor web site does not 
list a current version on the page:

http://www.backbonetechnology.com/expression/

They do not appear to offer a demo, and it seemingly requires a 
consultation to purchase. They do list who is running it:

http://www.backbonetechnology.com/portfolio/

Did you test one of their customers' live sites to find this 
vulnerability? If so, again, how do you not know the version you tested?

Prev by Date: www.eVuln.com : "link" and "linkdescription" XSS in Social Share
Next by Date: [ GLSA 201012-01 ] Chromium: Multiple vulnerabilities
Previous by thread: www.eVuln.com : "link" and "linkdescription" XSS in Social Share
Next by thread: [ GLSA 201012-01 ] Chromium: Multiple vulnerabilities
Index(es):
- Date
- Thread