############################################################### ID: S21SEC-023-en Title: Multiple Cross Site Scripting vulnerabilities in Vignette Date: 03/04/2003 Status: Vendor contacted and solution available Scope: HTML code Execution in client browsers Platforms: All Author: rpinuaga Location: http://www.s21sec.com/es/avisos/s21sec-023-en.txt Release: External ############################################################### S 2 1 S E C http://www.s21sec.com Multiple Cross Site Scripting vulnerabilities in Vignette About Vignette -------------- Vignette develops Content Management and Application Portal Software. Description of vulnerability ---------------------------- Vignette Software presents multiple Cross Site Scripting vulnerabilities. (XSS) It's possible to inyect HTML code in text variables. This variables when are showed by a Vignette Application, can execute arbitrary code in the client browser. Vignette don't offer any protection against this kind of attacks. For example this way: https://www.somesite.es/Page/1,10966,,00.html?var=