TITLE:
Nukedit “terms” Cross-Site Scripting

SECUNIA ADVISORY ID:
SA25087

VERIFY ADVISORY:
http://secunia.com/advisories/25087/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
Nukedit 4.x
http://secunia.com/product/10231/

DESCRIPTION:
Nexus has reported a vulnerability in Nukedit, which can be exploited by
malicious people to conduct cross-site scripting attacks.

Input passed to the “terms” parameter in utilities/search.asp is not
properly sanitised before it is returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user’s browser
session in context of an affected site.

The vulnerability is reported in version 4.9.7b. Other versions may also
be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
Nexus