Tyler Technologies TaxWeb 22.214.171.124 and possibly earlier versions contain cross-site request forgery (CWE-352), information exposure (CWE-203), and reflected cross-site scripting (CWE-79) vulnerabilities.
CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2013-6018
TaxWeb 126.96.36.199 contains a cross-site request forgery vulnerability on the login.jsp pages. An attacker can send a constructed webpage link to a previously authenticated user to make an unauthorized change to their password.
We are currently unaware of a practical solution to this problem.
Thanks to CAaNES LLC for reporting this vulnerability.
This document was written by Adam Rauf.