Product: LogAnalyzer Version: 3.6.0 Vendor: www.adiscon.com Vulnerability type: Cross Site Scripting Risk level: Low Vendor notification: 2012-12-15 Patch Release: 2012-12-19 Public disclosure: 2012-12-20 Author: Mohd Izhar Bin Ali aka johncrackernet Website: http://johncrackernet.blogspot.com Details: A cross-site scripting vulnerability existed in the asktheoracle.php page. An attacker could use it to execute arbitrary HTML and Script code by using the oracle_query parameter. Proof of Concept: The 'oracle_query' parameter didn't sanitize properly for asktheoracle.php page. http://192.168.1.10/loganalyzer-3.6.0/asktheoracle.php?type=searchstr&oracle_query=