Accentis Content Resource Management System Cross Site Scripting

`# Vulnerability type: Stored Cross Site Scripting  
# Vendor: http://www.accentis.com.au/  
# Product: Accentis Content Resource Management System  
# Credit: Foo Jong Meng, Chia Junyuan, Benjamin Tan  
# CVE ID: CVE-2015-3425  
  
# PROOF OF CONCEPT (XSS)  
  
Accentis Content Resource Management System before October 2015 patch contains Stored Cross-site scripting (XSS) vulnerability which allows authenticated users to inject arbitrary javascript via the following parameter.  
  
# VULNERABLE PARAMETER:  
- ctl00$cph_content$_uig_formState  
  
# SAMPLE PAYLOAD  
- <script>alert(“XSS”)</script>  
  
# TIMELINE  
- 15/04/2015: Vulnerability found  
- 09/07/2015: Vendor informed  
- 09/07/2015: Vendor responded and acknowledged  
- 28/10/2015: Vendor fixed the issue  
- 02/11/2015: Public disclosure  
`