Jobbex JobSite contains flaws that allow remote  SQL injection attacks and cross site scripting.

SQLi occurs where the "jobstateid" and "jobcountryid" don't properly sanitize input submitted to the search_result.cfm script.
This may allow an attacker to inject or manipulate SQL queries in the backend database.

Additionally, if a failed query is performed, the program will disclose the softwares installation path. Information disclosure occurs where the "grp" and "jobspage" don't properly sanitize input submitted to the search_result.cfm script, resulting in disclosure of resource locations. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks. 

Cross-site scripting occurs where the "opt" variable doesn't properly sanitize input submitted to the search_result.cfm script. 
This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

References:

CVE-2008-3339 , 3340 , 3341  

BID: 30302    

OSVDB: 47083 & 47084

SA: 31089

XF: 43912 , 43914 , 43915

Vendor Solution: Patch