Closed
Bug 648821
Opened 13 years ago
Closed 13 years ago
Cross-Site Scripting (XSS) Vulnerability Found on developer.mozilla.org
Categories
(developer.mozilla.org Graveyard :: Wiki pages, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 622996
People
(Reporter: chingshiong, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:2.0) Gecko/20100101 Firefox/4.0 Build Identifier: A Cross-Site Scripting (XSS) vulnerability has been discovered in developer.mozilla.org, which can be exploited by malicious users to conduct Cross-Site Scripting (XSS) attacks. Input passed via the "pageId" parameter to index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Tested on Firefox 4.0. FYI. Below is the PoC: Cross-Site Scripting (XSS): =========================== https://developer.mozilla.org/index.php?title=Special:Tags&pageId=1279'"--></style></script><script>alert(document.cookie)</script> Reproducible: Always
Comment 1•13 years ago
|
||
I think this is a dupe
Component: Other → Website
Product: Websites → Mozilla Developer Network
QA Contact: other → website
Reporter | ||
Comment 2•13 years ago
|
||
(In reply to comment #1) > I think this is a dupe Hi Wil Clouser, Have you tested the PoC on your machine? I have tested and it worked on my Firefox 4.0. Please let me know if you require any further information or enquiries.
Reporter | ||
Comment 3•13 years ago
|
||
(In reply to comment #2) > (In reply to comment #1) > > I think this is a dupe > > Hi Wil Clouser, > Have you tested the PoC on your machine? I have tested and it worked on my > Firefox 4.0. > > Please let me know if you require any further information or enquiries. Also, I have searched thru the reported bug and I couldn't find any duplicates.
Updated•13 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•12 years ago
|
Component: Website → Landing pages
Comment 5•8 years ago
|
||
For bugs that are resolved, we remove the security flag. These haven't had their flag removed, so I'm removing it now.
Group: websites-security
Updated•4 years ago
|
Product: developer.mozilla.org → developer.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•