aMember contains a flaw that allows a remote cross site scripting (XSS) attack. This flaw exists because the application does not validate the 'first-name' and 'last-name' parameters upon submission to the 'profile.php' script. This may allow a user to create a specially crafted URL that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

OSVDB is not aware of a solution for this vulnerability.

• Secunia Advisory ID: 35182
• Related OSVDB ID: 54744 54748 54751 54752 54754 54755 54756 54757 54758 54759 54760 54761 54762 54763 54764
• Milw0rm: 8820
• Exploit Database: 8820
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2009-05/0235.html
• Other Advisory URL: http://forum.intern0t.net/exploits-vulnerabilities-pocs/1018-intern0t-amember-3-1-7-multiple-vulnerabilities.html
• Vendor URL: http://www.amember.com/

• InterN0T

NVD does not currently have a CVSSv2 score assigned.