Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

Remote access vulnerability using BigDump ver. 0.29b

Arab Portal v2.1 Remote File Disclosure (Win32)

hMAilServer 4.4.2 (PHPWebAdmin) local & remote file inclusion

DriveCMS article.php remote sql injection

From:	Brad Antoniewicz <brad.antoniewicz_(at)_foundstone.com>
Date:	10.11.2008
Subject:	FirmChannel Digital Signage 3.24 Cross-site scripting

Title: FirmChannel Digital Signage 3.24 Cross-site scripting

-------------------------------------------------------------

Vendor: FirmChannel

Vendor URL: www.firmchannel.com

Vendor Response: Vendor has been notified and has since addressed the issue in the latest software release.

Description:

A cross-site scripting vulnerability is present within Firm Channel's Indoor & Outdoor Digital SIGNAGE version 3.24 (and
potentially below).

Example:

http://host/index.
php?module=account&action=login%3Cscript%3Ealert(%27xss%2
7);%3C/script%3E



Patch Information:

Firm Channel has addressed the issue in the latest version.

For more information visit firmchannel.com

CVE:  CVE-2008-4931

Credit:

Brad Antoniewicz

brad.antoniewicz@foundstone.com