'Seo Panel' Cookie-Rendered Persistent XSS Vulnerability (CVE-2010-4331) Mark Stanislav - email@example.com
A vulnerability exists in 'Seo Panel' page rendering which allows for unfiltered, unencrypted content to be presented to a user through two different cookies.
Alter the value of cookies called 'default_news' or 'sponsors' and then view a site page which includes controllers/index.ctrl.php or controllers/settings.ctrl.php that will render the cookies as they exist on the user's machine.
Upgrade to a release > 2.2.0 when available or otherwise disable cookie rendering.
http://www.seopanel.in/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4331 http://www.uncompiled.com/2011/01/seo-panel-cookie-rendered-persistent-xss-vulnerability-cve-2010-4331/
11/24/2010 - Initial vendor disclosure 11/25/2010 - Vendor response and commitment to fix 11/25/2010 - Reply to vendor detailing potential fixes and an adjusted public disclosure date 11/25/2010 - Vendor response confirming desired public disclosure date and agreement to patch method 01/15/2011 - Public disclosure