GForge Cross Site Scripting vulnerability Version: Tested on GForge 4.5.11 Discovered by: José Ramón Palanco: jose.palanco(at)eazel(dot)es http://www.eazel.es Description: GForge is vulnerable to a security vulnerability that allow Cross-Site Scripting attacks. Due to improper filtering, a remote attacker can cause a cross site scripting. To exploit any attacker may send via GET method the "words" variable to: >"<script>alert('www.eazel.es')</script> to http://site/search/advanced_search.php?group_id=X&search=1 where X is any active project in the gforge installation. Timeline: discovered: 26/10/2006 published: 8/01/2007 Original advisory: http://www.eazel.es/advisory006-gforge-cross-site-scripting-vulnerability.html
