XSS and SQL Injection Vulnerabilities in GNew Information Advisory by: Netsparker (now Invicti) Name: XSS and SQL Injection Vulnerabilities in GNew Software: GNew 2013.1 and possibly below Vendor Homepage: http://freecode.com/projects/gnew Vulnerability Type: Cross-Site Scripting and SQL Injection Severity: Critical Researcher: Omar Kurt Advisory Reference: NS-13-016 Description GNew is a simple content management system. It is fully customizable using a template system and supports multiple languages. It features easy installation, a simple but complete administration section, multi-level categories, article management, news management with an advanced comments system, poll management, user management, a forum, search engine, RSS feed generation, BBCode and HTML support, emoticons, and more. Details GNew is affected by XSS and Blind SQL Injection vulnerabilities in version 2013.1. Example PoC URLs: XSS: - (POST - params: news_id) Blind SQL Injection: - (POST - params: news_id) - Solution No patch was released. Advisory Timeline 28/08/2013: First Contact - No Response 16/09/2013: Second Contact - No Response 18/12/2013: Vulnerability Released Credits Discovered on testing of Invicti Web Application Security Scanner.