ShareTronix - HTML Injection Vulnerability Version Affected: 1.0.4 (newest) Info: Sharetronix Opensource is a multimedia microblogging platform. It helps people in a community, company, or group to exchange short messages over the Web. Credits: MaXe from InterN0T (patched the vulnerability) & Reelix (found the vulnerability) External Links: http://sharetronix.com/opensource/ -:: The Advisory ::- The header.php file for showing a single microblog entry does not sanitize the page_title correct. page_title is set by the user when posting an entry to the microblog platform. Files: sharetronix/system/templates/header.php 00013: <?= $D->page_title ?> sharetronix/system/templates/mobile/header.php 00014: <?= $D->page_title ?> -:: Solution ::- sharetronix/system/templates/header.php 00013: <?= htmlentities($D->page_title); ?> sharetronix/system/templates/mobile/header.php 00014: <?= htmlentities($D->page_title); ?> Disclosure Information: - Vulnerability found 26th January - Patch was made available 26th January - Vendor and Buqtraq (SecurityFocus) contacted the 26th January - Will be disclosed on InterN0T 27th January All of the best, MaXe