# # Vulnerability Title: Project Open ]po[ - "account-closed.tcl" Reflective Cross Site Scripting # Author: Michail Poultsakis # Date of Vendor and CERT Contact: 2011.12.08 # Publication Date: 2012.02.02 # Product Link: http://www.project-open.com # Affected Product Version: 3.4.x # # # # Project Open ]po[ version 3.4.x suffers from a reflective Cross Site Scripting Vulnerability. # The vulnerability resides within the "message" parameter in the "account-closed.tcl" script. # # http://[HOST]/register/account-closed?message=[arbitrary-JavaScript] # # An attacker, by crafting a malicious URL of his choosing, may force arbitrary JavaScript to be executed on the victim's browser. # # --- Vulnerability detected on product version 3.4. Previous product versions might also be affected. --- #