Closed Bug 1238547 Opened 8 years ago Closed 8 years ago

Self-XSS in support.mozilla.org Mobile Site's Main Search Bar (DUPLICATE)

Categories

(support.mozilla.org :: Search, defect)

Product:
support.mozilla.org
Component:
Search
Platform:
All
Android
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1238252

People

(Reporter: serverghosts, Unassigned, NeedInfo)

References

(
URL
)

Details

(Keywords: sec-low, wsec-xss)

Attachments

(1 file)

Screenshot_2016-01-11-20-19-48.png
50.93 KB, image/png
Details 
User Agent: Mozilla/5.0 (Linux; U; Android 4.4.2; en-US; PrimoC4 Build/WALTON) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/10.8.0.718 U3/0.8.0 Mobile Safari/534.30

Steps to reproduce:

1: Go here:   https://support.mozilla.org/en-US/products

2: Put this payload into the search box:  <IFRAME SRC="hello.html" WIDTH=450 HEIGHT=100> </script><script>alert('XSS by de4dly_panda');</script>


Actual results:

JavaScript executed !  

Vulnerabilities: xss, csrf


Expected results:

It should have come out in plain text!
Lnazi - Thank you for your submission, but this issue has already been reported.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Summary: Cross site scripting found → Self-XSS in support.mozilla.org Mobile Site's Main Search Bar (DUPLICATE)
URL: https://support.mozilla.org/en-US/pro...
Severity: normal → critical
Priority: -- → P3
OS: Unspecified → Android
Hardware: Unspecified → All
Contact me
Flags: needinfo?(serverghosts)
Severity: critical → normal
Priority: P3 → --
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: