Andrew Davies of Portcullis Computer Security Ltd reports that an older version of FatWire's Web CMS product, Content Server 6.3.0, exposes cross-site scripting (XSS) vulnerabilities "in multiple locations" in the Web UI, "mainly with the search and advanced search functions." FatWire told Davies that it had already fixed the vulnerability in a patch release.

The vulnerability is of a type where a specially-crafted URL (containing JavaScript) can cause mischief if an unsuspecting user clicks a link containing that URL. Also, just typing something like <script>alert('Hacked!')</script> in a search box will cause a script to execute, reportedly.

Just for kicks, I tried searching for word of the vulnerability on http://developernet.fatwire.com. But the Search box was disabled. Probably wise.

My goal here is not to ding FatWire specifically (and remember, 6.3 is not the latest version of Content Server), but to remind you that, in your quest for customer-facing interactivity, to the extent you turn over dynamic interaction to your Web CMS, you are inheriting their security profile. I think we'll see more of these alerts. Forewarned is forearmed.

Update (29 November): FatWire says that the XSS vulnerability described by Portcullis affects only the administrative search interface, not any UI that can seen by non-admins. A patch is available directly from FatWire.