I have following advisory for you.
SiteScape Forum TCL injection
===============================discovered by firstname.lastname@example.org
PRODUCT: SiteScape Forum
EXPOSURE: TCL injection
=======By URL modification it is possible to insert TCL code into aplication.
Account on target server is not required.
PROOF OF CONCEPT
===============Make a http request in form of
You can now enter commands separated by semicolon
There are some restrictions, but exploitation is possible.
=========Upgrade to latest version.
=============="We have developed, tested, and distributed a fix to our current customer
base via our support site. The patch is available here:
This URL requires a login. Thank you for alerting us."
=====>From sitescape.com :
"SiteScape's flagship product, SiteScape Forum(R), ...
SiteScape collaborative solutions are currently implemented worldwide
in organizations including the US Navy, US Centers for Disease
Control, the European Space Agency, Lockheed Martin..."