Kentico CMS <=5.5R2.23 Cross-Site Scripting POST Injection Vulnerability

Title: Kentico CMS <=5.5R2.23 Cross-Site Scripting POST Injection Vulnerability
Advisory ID: ZSL-2011-5015
Type: Remote
Impact: Cross-Site Scripting
Risk: (2/5)
Release Date: 31.05.2011
Summary
.NET Web Content Management System for ASP.NET.
Description
Kentico CMS suffers from a XSS vulnerability when parsing user input to the 'userContextMenu_parameter' parameter via POST method in '/examples/webparts/membership/users-viewer.aspx'. Attackers can exploit this weakness to execute arbitrary HTML and script code in a user's browser session.
Vendor
Kentico Software - http://www.kentico.com
Affected Version
5.5R2.23 and bellow
Tested On
Microsoft Windows XP Pro SP3 (EN)
Microsoft-IIS/7.5
ASP.NET 2.0.50727
Vendor Status
[12.03.2011] Vulnerability discovered.
[21.05.2011] Vendor contacted with sent PoC files.
[23.05.2011] Vendor replies.
[23.05.2011] Asked vendor for confirmation.
[24.05.2011] Vendor confirms issue scheduling hotfix 5.5R2.24.
[31.05.2011] Coordinated public security advisory released.
PoC
kentico_xss.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://devnet.kentico.com/Bugtracker/Hotfixes.aspx
[2] http://packetstormsecurity.org/files/101834
[3] http://www.securityfocus.com/bid/48051
[4] http://secunia.com/advisories/44785
[5] http://securityreason.com/wlb_show/WLB-2011060009
[6] http://xforce.iss.net/xforce/xfdb/67776
[7] http://osvdb.org/show/osvdb/72731
Changelog
[31.05.2011] - Initial release
[01.06.2011] - Added reference [3] and [4]
[02.06.2011] - Added reference [5]
[03.06.2011] - Added reference [6]
[13.06.2011] - Added reference [7]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk