Today the DHS ICS-CERT published an alert for a cross-site scripting vulnerability in the Advantech WebAccess product [added product name 1-10-13, 06:45 EST] reported by Antu Sanadi of SecPod Technologies (This link was not provided in the alert.) in an uncoordinated disclosure. There may have been an attempt at a disclosure here as the alert describes the report as being released “without successful coordination of the vendor”, but there is nothing on the SecPod site that indicates a coordinated disclosure had been attempted.
The alert notes that the vulnerability is remotely exploitable and could lead to the execution of arbitrary code, the bypass of protection mechanisms and the reading of application data. Proof of concept code is available on the SecPod site.