Vulnerability Note VU#732115

Project Open cross-site scripting vulnerability

Original Release date: 03 Feb 2012 | Last revised: 01 Nov 2012


Project Open ]po[ version 3.4 and possibly earlier versions suffer from a reflective cross-site scripting (XSS) vulnerability in the account-closed.tcl script


The XSS vulnerability (CWE-79) is contained within the message parameter in the account-closed.tcl script.



An attacker may be able to execute arbitrary Javascript in the context of the user's browser.


We are currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Project OpenAffected19 Jan 201201 Feb 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
Temporal 3.5 E:POC/RL:U/RC:UC
Environmental 3.5 CDP:/TD:/CR:ND/IR:ND/AR:ND



Thanks to Michail Poultsakis for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

  • CVE IDs: CVE-2012-1027
  • Date Public: 01 Feb 2012
  • Date First Published: 03 Feb 2012
  • Date Last Updated: 01 Nov 2012
  • Severity Metric: 0.05
  • Document Revision: 18


If you have feedback, comments, or additional information about this vulnerability, please send us email.