aMember contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate 'action' parameters upon submission to the '/admin/products.php' script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

OSVDB is not aware of a solution for this vulnerability.

• Secunia Advisory ID: 35182
• Related OSVDB ID: 54744 54748 54751 54752 54753 54754 54755 54756 54757 54758 54759 54760 54761 54763 54764
• Milw0rm: 8820
• Exploit Database: 8820
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2009-05/0235.html
• Other Advisory URL: http://forum.intern0t.net/exploits-vulnerabilities-pocs/1018-intern0t-amember-3-1-7-multiple-vulnerabilities.html
• Vendor URL: http://www.amember.com/

• InterN0T

NVD does not currently have a CVSSv2 score assigned.