vendor site: http://www.creascripts.com/ product:creadirectory bug: injection sql & xss risk : medium injection sql: /search.asp?search=1&submit=Search&category='[sql] xss: /addlisting.asp?cat=[xss] /search.asp?search=[xss] laurent gaffié & benjamin mossé http://s-a-p.ca/ contact: saps.audit@xxxxxxxxx