A vulnerability in Blakord Portal could allow an unauthenticated, remote attacker to conduct cross-site scripting (XSS) attacks.
The vulnerability is due to insufficient sanitization of user-supplied input by the search.asp
script. An attacker could exploit this vulnerability by persuading a user to visit a URL that may submit crafted Search
parameter to the affected script. If successful, it could allow the attacker to execute arbitrary script code in the user's browser session under the context of the affected web site. This may allow the attacker to gain access to sensitive browser-based information such as cookie-based authentication credentials.
Proof-of-concept code that exploits this vulnerability is publicly available.
For additional information about cross-site scripting attacks and the methods used to exploit these vulnerabilities, see the Cisco Applied Mitigation Bulletin Understanding Cross-Site Scripting (XSS) Threat Vectors
Administrators are advised to implement an intrusion prevention system (IPS) or intrusion detection system (IDS) to help detect and prevent attacks that attempt to exploit this vulnerability.
The vendor has not confirmed the vulnerability and has not released updated software.