SecPod Research Team member (Antu Sanadi) has found an XSS flaw in AR Web Content Manager (AWCM), which can be used to obtain sensitive information and launch further attacks. The flaw lies in the ‘search’ parameter in ‘search.php‘ while the application processes the user-supplied input and renders the content back to the client’s browser. The flaw can be exploited to inject arbitrary HTML code and steal cookies and so on.
The solution can be found at, here
More information can be found here.
CVE Info: CVE-2011-1668
Welcome any feedback or suggestion.
Cheers!
SecPod Research Team