esoTalk 1.0.0g4: XSSDate: 2015-12-21 10:26:51
|Affected Product:||esoTalk 1.0.0g4|
|Fixed in:||not fixed|
|Fixed Version Link:||n/a|
|Reported to vendor:||11/17/2015|
|Disclosed to public:||12/21/2015|
|Release mode:||Full Disclosure|
|Credits||Tim Coen of Curesec GmbH|
Medium 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
esoTalk is a light-weight forum software written in PHP. In version 1.0.0g4 and possibly prior versions, there is a reflected XSS vulnerability in the search because a given URL is echoed unencoded in multiple places.
3. Proof of Concept
This issue was not fixed by the vendor.
5. Report Timeline
|11/17/2015||Informed Vendor about Issue (no reply)|
|12/10/2015||Reminded Vendor of Disclosure Date (no reply)|
|12/21/2015||Disclosed to public|