Overview
The staff search page does not sanitise the input of the ID field allowing an XSS attack to be executed.
Code:
http://www.cse.unsw.edu.au/db/staff/staff.php
?ID="><script>prompt(42)</script>Leave a comment
(required)(will not be published)(required)
Comments
There are no comments yet. Be the first to add one!