Hello list! These are Cross-Site Scripting and Cross-Site Request Forgery vulnerabilities in CMS Pylot ( on Russian). It's Ukrainian commercial CMS from Delta-X. ------------------------- Affected products: ------------------------- Vulnerable are all versions of CMS Pylot. Developers from Delta-X haven't answered and haven't fixed these vulnerabilities. ---------- Details: ---------- Cross-Site Scripting (WASC-08): Example of XSS for IE: http://site/index_admin_login.php?return_path=%27%22%20style=xss:expression(alert(document.cookie))%201 Cross-Site Request Forgery (WASC-09): http://site/index_admin_login.php Lack of protection in login form, such as captcha, leads to possibility of conducting CSRF attacks, which I wrote about in the article Attacks on unprotected login forms (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2011-April/007773.html). It allows to conduct remote login. But the from isn't vulnerable to Brute Force, since captcha appears after the first attempt. Also it can be used for redirection. For these attacks it's needed to have working login and password: ------------ Timeline: ------------ 2014.08.02 - announced at my site. 2014.08.09 - informed developers. 2014.08.12 - informed developers again. 2014.12.26 - disclosed at my site (http://websecurity.com.ua/7292/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua