1. OVERVIEW Acuity CMS 2.6.x (ASP-based) versions are vulnerable to Cross Site Scripting. 2. BACKGROUND Acuity CMS is a powerful but simple, extremely easy to use, low priced, easy to deploy content management system. It is a leader in its price and feature class. 3. VULNERABILITY DESCRIPTION "UserName" parameter is not properly sanitized upon submission to the URL, /admin/login.asp , which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED Tested in version 2.6.2. 5. PROOF-OF-CONCEPT/EXPLOIT http://localhost/admin/login.asp?UserName="><script>prompt(/xss/)</script> 6. SOLUTION The Acunity CMS is no longer in active development. It is recommended to user another CMS in active development and support. 7. VENDOR The Collective http://www.thecollective.com.au/ 8. CREDIT Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2012-04-17: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/%5Bacuity_cms2.6.x_(asp)%5D_xss #yehg [2012-04-17]