1. OVERVIEW
The Elgg 1.7.9 and lower versions are vulnerable to multiple Cross Site Scripting.
2. BACKGROUND
Elgg is an award-winning social networking engine, delivering the building blocks that enable businesses, schools, universities and associations to create their own fully-featured social networks and applications. Well-known Organizations with networks powered by Elgg include: Australian Government, British Government, Federal Canadian Government, MITRE, The World Bank, UNESCO, NASA, Stanford University, Johns Hopkins University and more (http://elgg.org/powering.php)
3. VULNERABILITY DESCRIPTION
Several parameters (page_owner, content,internalname, QUERY_STRING) are not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser.
4. VERSIONS AFFECTED
Elgg 1.7.9 <=
5. PROOF-OF-CONCEPT/EXPLOIT