Hi, I have following advisory for you. email@example.com
discovered by firstname.lastname@example.org
PRODUCT: SiteScape Forum
EXPOSURE: TCL injection
By URL modification it is possible to insert TCL code into aplication. Account on target server is not required.
Make a http request in form of
You can now enter commands separated by semicolon There are some restrictions, but exploitation is possible.
Upgrade to latest version.
"We have developed, tested, and distributed a fix to our current customer base via our support site. The patch is available here:
This URL requires a login. Thank you for alerting us."
From sitescape.com :
"SiteScape's flagship product, SiteScape Forum(R), ... SiteScape collaborative solutions are currently implemented worldwide in organizations including the US Navy, US Centers for Disease Control, the European Space Agency, Lockheed Martin..." ;)