BBIS: Allows JavaScript injection on registration form

When a new registrant attempts to sign up on the BBIS new user registration page they are allowed to enter javascript code in the username box.
This code is executed by BBIS.
Download and install the latest patch which contains all fixes from previous patches. If you are running an older version, download and install the latest version and then the patch. 

Steps to Duplicate

go to BBIS new user registration page
sign up using username: </script><script>alert('test');</script><script>
once submitted the username script will execute.


 Blackbaud Internet Solutions
 Service Pack 9

Was this article helpful?