Penske Media Cross-site Scripting

Update 05-Jan-2013:

All reported issues has been fixed. Packet Storm entry has been updated:



Original situation:

Multiple Penske Media Corporation ( web-sites are vulnerable to reflected Cross-site Scripting attacks. Vulnerable sites 20-Nov-2012:,, and


Update 27-Nov-2012:

Senior Director of Engineering at PMC contacted me shortly after this post. Security issues are being addressed in effective manner.  – Issue has been fixed during Thanksgiving holiday

According to PMC, rest of the vulnerabilities should be fixed in the near future.


Packet storm advisory:

I reported the findings initially to various contacts at Variety on 16-Oct-2012. All reporting attempts apparently failed, because there has been no response.

Users should be careful and avoid clicking on the links that are pointing to XSS vulnerable domains.

Example screen-shots: XSS XSS

Tagged ,

2 thoughts on “Penske Media Cross-site Scripting

  1. shpendk says:

    pretty tough.. congratz..

  2. jannefi says:

    As you can see from the update, PMC has been actively working on the fixes after they saw the advisory. My original vulnerability report did not reach the correct persons. PMC clearly takes security issues seriously.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: