Hello list! These are Cross-Site Scripting and Brute Force vulnerabilities in In-Portal CMS. ------------------------- Affected products: ------------------------- Vulnerable are In-Portal CMS 5.2.0 and previous versions. In version In-Portal CMS 5.2.1 at 31.08.2014 developers fixed XSS vulnerability after my warning. But didn't fix BF, only gave recommendations about protection against these attacks (it's their solution). They recommend for users of the system to limit access to admin panel by IP. ------------------------- Affected vendors: ------------------------- In-Portal http://in-portal.com ---------- Details: ---------- Cross-Site Scripting (WASC-08): http://site/admin/index.php?env=-login:m0--1--s-&next_template=%22%3E%3Cbody%20onload=alert(document.cookie)%3E Brute Force (WASC-11): http://site/admin/index.php I mentioned about these vulnerabilities at my site (http://websecurity.com.ua/7276/). Best wishes & regards, Eugene Dokukin aka MustLive Administrator of Websecurity web site http://websecurity.com.ua