Status

quality.mozilla.org
Website
RESOLVED INVALID
4 years ago
4 years ago

People

(Reporter: Archita, Unassigned)

Tracking

unspecified
x86
Windows 7
Bug Flags:
sec-bounty -

Details

(Whiteboard: [site:quality.mozilla.org][reporter-external])

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
Created attachment 8444664 [details]
proof of concept

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36

Steps to reproduce:

Hello Team,

I would like to report a  Cross Site Scripting Vulnerability in your main domain i.e 'https://quality.mozilla.org'

Vulnerability Name:   Cross Site Scripting

Injection URL : https://quality.mozilla.org/teams/automation/

Payload Used : ?aaa""><script>alert(document.domain)</script>
Steps to Reproduce:

1.Go to the vulnerable URL
2.Intercept the request , and give the payload directly in URL

i.e: https://quality.mozilla.org/teams/automation/?aaa""><script>alert(document.domain)</script>
3.Hit enter and then you will get xss pop-up


Actual results:

xss payload will be executed


Expected results:

xss payload executed
Group: core-security → websites-security
Component: General → Website
Product: Core → quality.mozilla.org
Version: 1.0 Branch → unspecified
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Flags: sec-bounty-
Resolution: --- → DUPLICATE
Whiteboard: [site:quality.mozilla.org][reporter-external][IE-only]
Duplicate of bug: 889303

Updated

4 years ago
Blocks: 835509
reporter sent a video that showed they were using burp suite to alter the message via proxying as such this is a self xss and not a true vulnerabiltiy
Group: websites-security
Resolution: DUPLICATE → INVALID
Whiteboard: [site:quality.mozilla.org][reporter-external][IE-only] → [site:quality.mozilla.org][reporter-external]
You need to log in before you can comment on or make changes to this bug.