SnipSnap 0.5.2a / 1.0b1 / 1.0b2 Cross Site Scripting

`CVE-2014-9559 SnipSnap XSS (Cross-Site Scripting) Security Vulnerabilities  
  
Exploit Title: SnipSnap /snipsnap-search? query Parameter XSS  
Product: SnipSnap  
Vulnerable Versions: 0.5.2a 1.0b1 1.0b2  
Tested Version: 0.5.2a 1.0b1 1.0b2  
Advisory Publication: Jan 30, 2015  
Latest Update: Jan 30, 2015  
Vulnerability Type: Cross-Site Scripting [CWE-79]  
CVE Reference: CVE-2014-9559  
Credit: Wang Jing [MAS, Nanyang Technological University (NTU), Singapore]  
  
  
  
  
  
Advisory Details:  
  
  
(1) Vendor & Product Description  
  
Vendor:  
SnipSnap  
  
Product & Version:  
SnipSnap  
0.5.2a  
1.0b1  
1.0b2  
  
  
Vendor URL & Download:  
http://snipsnap.org  
  
Product Description:  
"SnipSnap is a user friendly content management system with features such  
as wiki and weblog. "  
  
  
  
  
  
  
  
(2) Vulnerability Details:  
SnipSnap has a security problem. It can be exploited by XSS attacks.  
  
(2.1) The vulnerability occurs at "snipsnap-search?" page with "query"  
parameter.  
  
  
  
  
  
  
References:  
http://tetraph.com/security/cves/cve-2014-9559-snipsnap-xss-cross-site-scripting-security-vulnerabilities/  
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9559  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9559  
https://security-tracker.debian.org/tracker/CVE-2014-9559  
http://www.cvedetails.com/cve/CVE-2014-9559/  
http://www.security-database.com/detail.php?alert=CVE-2014-9559  
http://packetstormsecurity.com/files/cve/CVE-2014-9559  
http://www.pentest.it/cve-2014-9559.html  
http://www.naked-security.com/cve/CVE-2014-9559/  
http://007software.net/cve-2014-9559/  
https://security-tracker.debian.org/tracker/CVE-2014-9559  
  
  
  
  
  
  
--  
Wang Jing,  
Division of Mathematical Sciences (MAS),  
School of Physical and Mathematical Sciences (SPMS),  
Nanyang Technological University (NTU),  
Singapore.  
http://www.tetraph.com/wangjing/  
  
  
`