Vulnerability Note VU#732115

Project Open cross-site scripting vulnerability

Original Release date: 03 Feb 2012 | Last revised: 24 Jul 2014


Project Open ]po[ version 3.4 and possibly earlier versions suffer from a reflective cross-site scripting (XSS) vulnerability in the account-closed.tcl script


The XSS vulnerability (CWE-79) is contained within the message parameter in the account-closed.tcl script.



An attacker may be able to execute arbitrary Javascript in the context of the user's browser.


We are currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Project OpenAffected19 Jan 201201 Feb 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Temporal 3.5 E:POC/RL:U/RC:UC
Environmental 0.9 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Michail Poultsakis for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2012-1027
  • Date Public: 01 Feb 2012
  • Date First Published: 03 Feb 2012
  • Date Last Updated: 24 Jul 2014
  • Severity Metric: 0.05
  • Document Revision: 21


If you have feedback, comments, or additional information about this vulnerability, please send us email.