Prevx has this slogan: "We detect the threats that others miss". They state on their
blog that received an unsolicited e-mail from us "raising the possibility that a querystring parameter could be exploited to launch a malicious script by the caller to the download page."
We never sent any e-mail! The only thing that we did was to validate the submitted cross-site scripting vulnerability affecting Prevx.com. The discoverer of the XSS is
security0x00. All the XSS vulnerable websites are saved automatically by a bot and verified with our browsers.
According to their
blog post they were unable to replicate the XSS but managed to secure the validation of input on that particular page to avoid the example method quoted by us.
What a nonsense statement! It is like saying: "The XSS wasn't working but we fixed it to avoid that it works".
