Astun Technology iShare Maps Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in Astun Technology iShare Maps version 5.4.0. The issue arises in the historic1.asp file, specifically within the Zoom parameter. This vulnerability allows remote attackers to inject and execute arbitrary JavaScript in the context of the user's browser. The affected instance is used by the Dudley Metropolitan Borough Council website and displays 'Powered by iShare', confirming the use of the iShare platform.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser. This could lead to session hijacking, phishing attacks, or other malicious actions.

Reproduction

To reproduce this vulnerability, navigate to the historic1.asp page on a site using Astun Technology iShare Maps 5.4.0. Inject a script into the Zoom parameter, such as a JavaScript payload that exploits the cross-site scripting vulnerability, such as an image tag with an error event handler.